Community Security
Awareness Training
Barbara Endicott-Popovsky, Ivan Orton, Kirk
Bailey, Deb Frincke,
Member, IEEE
About the authors…..
Barbara Endicott-Popovsky,
Lecturer, Seattle
University;
Ivan Orton,
JD, Senior Deputy Prosecuting
Attorney with the Fraud Division of the King County
Prosecutor's Office in Seattle
Kirk Bailey,
Chief Information Security Officer, City
of Seattle
Deb Frincke,
Ph.D., Chief Scientist Cybersecurity,
Pacific Northwest National Laboratory and Professor
(on leave), Computer Science Dept., University of
Agora….
Forum for airing current issues of concern
among IA professionals
Meets quarterly in the Northwest
Solves problems of unintended consequences
from proliferation of digital infrastructure
accessing insecure public networks
Recent Achievements
State legislative change regarding cyber
stalking, a fast growing Internet crime
Responding to a case involving a City of
Seattle employee, Agora undertook a two-year
project of tracking down, and assisting in, the
eventual prosecution of the stalker
Became the impetus behind some of the first
Current Focus
Vulnerability of personal and private
information in Internet accessible
systems
Bring attention to improving network & data
mgmt
2005 IEEE Workshop on IA, USMA
West Point 7
Widespread Community Problem:
Identity Theft
Growing problem
Affects govt/business infrastructure and
individuals
1 in 20 Americans an identity theft victim last year
Hundreds of millions of dollars impact to U.S.
economy
(FTC report)
Most institutions cover direct consumer losses
Consumers cover coping charges avg.
$1000/incident
Agora Solution:
Create security awareness event demonstrating:
accessibility of personal/private information thru public
networks
how little skill is needed to acquire it.
Design experiential learning: a Google-Hacking
Contest
Invite Business and govt. leaders, and the press
Enthuse community leaders about exploring
Google-hacking
“
Google-hacking
” commonly refers to
obtaining anything exploitable, including
usernames, passwords, credit card
numbers and other personal identifiable
information using the search engine,
Why Google Hacking?
Search engines can be effective hacking tools
Google selected for its wide familiarity
Requires little or no programming skills
knowledge of a minimal list of Google operators and how to concatenate a Google string.
Google hacking info readily available
search for "Google hacking" on Google itself! http://johnny.ihackstuff.com/
first 3 chapters of
Google Hacking
by Johnny Long few hours of online practicePoorly Configured and
Administered Systems at Fault
“Uneducated folks putting content on the web
they think is hidden from the world”
Example: Directory indexing that exposes file
paths and useful files
Requires more thoughtfully configured
networks:
Keep private, sensitive info beyond web crawlers Understand how web crawlers/search engines work
Community Security
Awareness Training Event
Purpose
:
raise community's consciousness
about the vulnerability of sensitive information
to compromise on systems linked to public
network
Vehicle
:
Google Hacking Contest
Sponsored by
:
the Agora and Seattle U
March 4, 2005 Seattle, Washington Public invited
IA professionals
Attorney General, State of Washington Business leaders
Reference:
NIST Special Publication
800-50
Recognizes the "
people factor
" is the weakest
link.
Standard for developing and implementing
security awareness training
All IS users be made aware of their roles and
responsibilities in maintaining security.
Any awareness event should be:
designed for the intended audience,
built around a message and desired outcomes
NIST Guidelines for Security
Awareness Event
NIST Guidelines
Google Hacking Event
Attributes
Designed for specific
audience
Business and community
leaders in Seattle
Built around a
message
"Alarming vulnerability of public and private information to compromise on public networks"
Built around desired
outcomes
• Gain attention
• Influence legislation
User awareness of
roles /
Event summation focused on roles and responsibilities regarding identity
AGORA’S Google Hacking
Contest Rules
Rule #1: Information Protection
All contest participants must be VERY
CAREFUL to manage and protect any sensitive
information they discover
Rule #2: Required Gear for
Competitors
Teams must bring their own 'stuff ' to play and
also at least one standard-size (8½” x 11”)
notepad
AGORA’S Google Hacking
Contest Rules (cont’d.)
Rule #3: Respect Host’s Network
Access provided by host, Seattle U, for the
contest only
Rule #4: Judging
Each team assigned a Contest Judge to validate
AGORA’S Google Hacking
Contest Rules (cont’d.)
Rule #5: Time allowed
45 minutes only
Rule #6: Scoring
Google Hacking Score Card
Personally Identifiable Information Points
Name and Social Security Number (SSN) together 1 pt Name, SSN, Date of Birth (DOB) together 2 pts Name, Credit Card number (CCN#) together 1 pt Name, CCN#, Exp. Date, 3-digit security code (CID#) together 2 pts Name, Bank Account # or Brokerage Account # 3 pts Name, Bank Account # or Brokerage Account # 1 pt Name, Bank Account Number and PIN 3 pts Add’l data asso’d w/ ea CCN# & SSN #(e.g. address, phone) 0.5 pt Name, password, related online account identifier to anything 5 pts Bonus points for anything above associated with Wa St Citizen 10 pts
Successful Hacking Approach
Limit # of pages to search
Narrow searches
Concatenate Boolean and advanced
operators into queries
Useful Advanced Operators
Advanced
Operator
Purpose
InTitle Restricts search to pages with specified word in its title InURL Restricts search to pages with specified word in its URL Cache Shows the version of a page in Google's cache
Filetype Searches can be restricted to filetype. (The xls and mbd filetypes are particularly useful.)
Example Query Strings
allintitle: restricted filetype:doc site:gov
Searches for pages with all of the following in the title: 'restricted,' .doc files on .gov sites.
intitle:"index of" members OR accounts
Searches for pages with "index of" in the titles and either member or accounts lists.
allintitle: "index of/root"
Searches for pages with index of/root in the title. Results in 1490 pages
that can be mined for information.
allinurl:auth_user_file.txt
Searches for pages with lists of user names and passwords
allinurl: admin mdb
Searches for pages with administrator's access databases containing usernames, passwords and other sensitive
The Contest
8 Teams
3 student teams
5 from industry and the professions
8 – 12 Members each
Results (Partial List)
Credit card numbers of military personnel
A million SSN’s of recent immigrants, their tax records and
addresses
Names, birth dates, SSN’s , race and religion of deceased
military personnel
Names, credit card numbers, birth dates and home Ph No’s of
388 Americans who ordered pornographic movies from a Brazilian web site
Over one hundred million death certificates with SSN’s , dates of
birth and city of last residence
Highly personal information of two individuals, their security
clearance level. One was an expert in virology investigations and the other a responder to nuclear emergencies
Winners!
1
st
Prize: 190 million points
Team of lawyers and computer security experts
Found Db with SSN’s of millions of dead people
2
nd
Prize: 13 million points
Team of penetration testers
Local security firm
Community Awareness
Achieved
Attendees’ feedback indicated shock
Report made to State’s Attorney General
Publicity
Front Page article Seattle Times
Wall St Journal article
Lessons Learned, Future Work,
Conclusions
Lessons Learned
Security awareness training can be effective
for educating a community
NIST Special Publication 800-50 guidelines
were applicable
A Google-Hacking contest communicates
effectively to non-technical people
Such a contest is easy to stage
Notify attendees in advance
form teams,
work logistics issues (numbers of computers, etc.) familiarize themselves with Google hacking before
Future Work
Continue the training effort thru U of
Washington Center of Information Assurance
and Cyber Security, an NSA Center of
Academic Excellence
Influence further legislation addressing
protection of personal and sensitive data
address the inequity of victims bearing coping costs
Simple Fairness Principle
Restated
Individuals
should bear
inconvenience costs
associated with misuse of any personal
information that
they control
Individuals
should not bear
inconvenience
costs associated with misuse of their personal
information that
they do not control
While the fairness proposition appears
Conclusions
Security awareness event achieved its
goals:
Alerted community leaders to take appropriate
measures to ensure protection of personal and
private information stored in databases
Began process of influencing legislation to
References
ComSec, "Google, A Dream Come True," (Retrieved from the Web March 19, 2005).
http://www.governmentsecurity.org/comsec/googletut1.txt
Googledorks. (Retrieved from the Web March 19,
2005).http://johnny.ihackstuff.com/index.php?module=prodreviews
Granneman, S. "The Perils of Googling," Security Focus (Retrieved from the Web
March 19, 2005). http://www.theregister.co.uk/2004/03/10/the_perils_of_googling/
i-Hacked.com, "Google Hacking at its Finest," (Retrieved from the Web April 15,
2005). http://www.i-hacked.com/content/view/23/42/
Long, J., Skoudis, E., van Eijkelenborg, A. (ed.) (2004). Google Hacking, for
Penetration Testers. San Francisco: Syngress Publishing, Inc.
Kotadia, M. (1977). "Protect yourself from 'Google hacking' ". Silicon.com, Jan. 14,
2005. (Retrieved from the Web March 19, 2005).
http://networks.silicon.com/webwatch/0,39024667,39127080,00.htm.
Ong Boon Kiat “Google hacking for beginners.” Cnet Asia, November 8, 2004.
