I remember this evening… More than two years ago, at RSA Europe, I was sitting in the hotel bar with my friends Craig Balding and Brian Honan talking about everything and nothing.
Which topic was at the source of this? It’s too old but I had the idea to register the domain “leaked in.com”. A funny name close to the one of the well-know social network for professionals. Once back into my room, I checked and the domain was available… not for long! My idea was to open a new blog with articles about data loss and data leaks. I started the blog but quickly stopped to update it due to a lack of time. The content remained non updated until recently.
Today I’ve a tool to monitor pastebin.com and I had another idea: what not compile my findings on a web site to show to everybody the risks to have sensitive data copied on pastebin.com (with intend or not). Some kind of “security awareness” website.
Today, I published a new version of my tool just before the BlackHat Arsenal. Amongst others, I added an option to send collected data to a WordPress blog using its XMLRPC interface.
In the same time, leakedin.com is now back online with live data posted by my tool which runs on a 24×7 basis. What I’m looking for? Here are some interesting regular expressions:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN DSA PRIVATE KEY----- -- phpMyAdmin SQL Dump -- MySQL dump -----BEGIN CERTIFICATE----- -----BEGIN PGP PRIVATE KEY BLOCK----- \.HOICenable secret encrypted password \".*\"; root:.*:0:0: root:.*:0:99999:7::: CN\=Admin http://[a-zA-Z0-9-_]\:.*\@[a-zA-Z0-9-_].[a-zA-Z0-9-_] ftp://[a-zA-Z0-9-_]\:.*\@[a-zA-Z0-9-_].[a-zA-Z0-9-_] \?[a-zA-Z0-9-_]=.*UNION.*SELECT mysql_connect\([^\$] http:\/\/.*\.\.\/\.\.\/\.\. remote file inclusion \|\s+Password\s+\| [p0o]wn[3d]d
If you’ve suggestions for new regular expressions, feel free to share! The website is available here and the RSS feed here.
Great idea! But what can we do with this data now?
It’s like log files. The problem is the “read” them…