During our engagements, we routinely look for source code or other internal sensitive information that could have been inadvertently posted. The team has been doing this as part of our standard engagements for quite awhile, and we routinely identify information through this method that clients are always thankful of being notified about. “But I have DLP!” – quite frequently, DLP won’t detect uploads to sites like Pastebin or Github.
Detecting data leakage…
Some of the things we’ve found have been quite serious, and not relegated to developers, code or typical office documents. For instance, the team once found device configs on a misconfigured personal web server which belonged to a network consultant. He had uploaded them as a backup mechanism, but inadvertently exposed the files due to a misconfiguration; this exposed several IDs (including passwords) for several organizations he supported. In another more recent instance, we identified some internal scripts uploaded to github that contained a domain user and password for the client we were working with.
When the team first started doing this, it was all manual work. They would come up with terms related to the organization (based on domain names, IPs, or leaked info, for example) and go off and see what could be discovered. About four or five years ago, there was a large increase in general awareness around code being uploaded to public spaces that contained information such as API keys. Many, many tools popped up based around this, but most of them were restricted to finding things such as “apikey=”, “password=”, or doing regexes to match specific API key formats.
The automated tools for this got me thinking at the time that I should automate the manual methodology I was using, so it was more efficient and I was less likely to look over something. Development began, and for the past few years we’ve been successfully using this internally.
Development has been successful, and the internal process works well. Then we started thinking about how we could offer this to our clients to help identify any leaks on a proactive basis. I went off again and started rebuilding it as service offering. It’s still a work in progress, but we are pretty excited to offer this service, and I wanted to give a heads up for anyone that might be interested in such a service.
We’ll have more news later about this shortly, but if you are interested, please let us know at firstname.lastname@example.org or @microsolved on Twitter! We’ll keep you posted as we come closer to release day!