Enterprise IT Watch Blog

Nov 30 2010   9:59AM GMT

Google Cache is the new WikiLeaks

Michael Morisy Michael Morisy Profile: Michael Morisy

While WikiLeaks has been garnering headlines for leaking tens of thousands of pages of sensitive documents, there’s a quieter internal leaker that has so far gone unnoticed: Google Cache and lax security practices at the United States Marine Corps. Thanks to an anonymous tipster, we discovered dozens of  internal documents (and possibly many, many more) available to anyone via the simple Google Query: “site:cio.usmc.mil“.

What the results show are various documents, presentations and other files that are tucked securely away on the United States Marine Corps’s IT servers … unless you click for the Google Cached version which often shows you a complete copy of the spreadsheet, PowerPoint or Word document. Sometimes the Cached version calls on an image still on the military’s secure servers, but simply clicking “Cancel” when prompted for a username and password takes you to the un-redacted documents. It’s basic Google Hacking at its most elementary, and more advanced cyber sleuths might find more.

While we didn’t see any classified or highly sensitive documents in our own searches, we did find:

  • References to classified systems and software.
  • Internal planning documents for equipment deployments.
  • Concerns about “pornographic material” infiltrating networks, intentionally and through spyware.
  • Handbooks that cover everything from purchasing guidance to new employee orientation.

More worrying than any of the individual documents, however, is the fact that:

a) This security hole exists in the first place.

b) It exists in the Marine Corp’s CIO servers designed for the IT department.

If this is the IT department’s own internal site, one can only imagine what other unsecured documents are wandering the web, open for disclosure by the next amateur Julian Assange. Lax security policies, after all, are apparently the source of all three of Wikileaks’s recent expose, since in that case sensitive files were made available to such a large group of individuals that it was impossible to properly vet and monitor access. While those first leaks were made months ago, most of the high-level discussions have been going after the symptoms – the actual leaker and Wikileaks – rather than the source, which is ultimately poor security practice.

When asked about the ability to scan the USMC Intranet, and provided with some PDFs of password protected documents, a spokesman responded with this:

Michael,
Thanks for the email, we’ll check and get back to you.

I did a quick google search for both of the pdf’s you attached, and both are available without password/not restricted, and I expect the same for most anything that would be hung on a www.XXXXX.usmc.mil domain would be non-sensitive.

We’ll be in touch.

V/R,

Capt Brian Block
HQMC DivPA Media Branch

But a lot of the documents aren’t available without a username and password.

I spoke with security researcher Chris Wysopal of Veracode, who said that cases of sensitive files accidentally posted online is more common than most IT shops are aware. For the best prevention, Wysopal suggests setting firm policies in place not to post files – even unlinked or temporary – on public servers without access control software in place, with most files being shared only over a secured Intranet that requires VPN access.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

4  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Michael Morisy
    [...] 2. Everybody’s talking about WikiLeaks, which allows quieter internal leakers to go unnoticed: Google Cache and lax security practices at the United States Marine Corps. Our very own Michael Morisy reports on how Google Cache is the new WikiLeaks. [...]
    0 pointsBadges:
    report
  • Michael Morisy
    [...] up on our piece explaining how to access certain Marine Corps’ password-protected materials, we received another e-mailed response to a few of our questions which shed a little on the [...]
    0 pointsBadges:
    report
  • Michael Morisy
    [...] 4. Editorial director Michael Morisy, with the help of an anonymous tipster discovers a quieter internal leaker that has gone unnoticed: Google Cache is the new WikiLeaks. [...]
    0 pointsBadges:
    report
  • Michael Morisy
    [...] In 2011, both the benefits and the losses are too potentially high to ignore, particularly with WikiLeaks exposing just how vulnerable your data is in the connected [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: