Posted by: Michael Morisy
While WikiLeaks has been garnering headlines for leaking tens of thousands of pages of sensitive documents, there’s a quieter internal leaker that has so far gone unnoticed: Google Cache and lax security practices at the United States Marine Corps. Thanks to an anonymous tipster, we discovered dozens of internal documents (and possibly many, many more) available to anyone via the simple Google Query: “site:cio.usmc.mil“.
What the results show are various documents, presentations and other files that are tucked securely away on the United States Marine Corps’s IT servers … unless you click for the Google Cached version which often shows you a complete copy of the spreadsheet, PowerPoint or Word document. Sometimes the Cached version calls on an image still on the military’s secure servers, but simply clicking “Cancel” when prompted for a username and password takes you to the un-redacted documents. It’s basic Google Hacking at its most elementary, and more advanced cyber sleuths might find more.
While we didn’t see any classified or highly sensitive documents in our own searches, we did find:
- References to classified systems and software.
- Internal planning documents for equipment deployments.
- Concerns about “pornographic material” infiltrating networks, intentionally and through spyware.
- Handbooks that cover everything from purchasing guidance to new employee orientation.
More worrying than any of the individual documents, however, is the fact that:
a) This security hole exists in the first place.
b) It exists in the Marine Corp’s CIO servers designed for the IT department.
If this is the IT department’s own internal site, one can only imagine what other unsecured documents are wandering the web, open for disclosure by the next amateur Julian Assange. Lax security policies, after all, are apparently the source of all three of Wikileaks’s recent expose, since in that case sensitive files were made available to such a large group of individuals that it was impossible to properly vet and monitor access. While those first leaks were made months ago, most of the high-level discussions have been going after the symptoms – the actual leaker and Wikileaks – rather than the source, which is ultimately poor security practice.
When asked about the ability to scan the USMC Intranet, and provided with some PDFs of password protected documents, a spokesman responded with this:
Thanks for the email, we’ll check and get back to you.
I did a quick google search for both of the pdf’s you attached, and both are available without password/not restricted, and I expect the same for most anything that would be hung on a www.XXXXX.usmc.mil domain would be non-sensitive.
We’ll be in touch.
Capt Brian Block
HQMC DivPA Media Branch
But a lot of the documents aren’t available without a username and password.
I spoke with security researcher Chris Wysopal of Veracode, who said that cases of sensitive files accidentally posted online is more common than most IT shops are aware. For the best prevention, Wysopal suggests setting firm policies in place not to post files – even unlinked or temporary – on public servers without access control software in place, with most files being shared only over a secured Intranet that requires VPN access.