Google searches now reveal PGP keys

Discussion in 'Security, Privacy & Anonymity' started by vivame, Aug 21, 2014.

  1. vivame

    vivame Member

    Google dorks are search terms that allow one to get information they aren't supposed to, because Google indexes everything they can (sometimes even if the robots.txt files tells them not to.)

    According to David Schwartzberg, senior security engineer with Sophos, even the best cryptographic algorithms are useless when the secret guarding the secret is commonly available.

    "Seriously. Drop the ego for a moment and think about the potential flaws in your own best practices. Before going live, did you get the software manufacturer or a security consultant involved to point out any potential pitfalls", he says in his latest security posting.

    "For example, where are your keys stored? Wait, let's back up for a second. Did you implement symmetric or asymmetric cryptography?," he adds.

    And if symmetric, Schwartzberg asks how are the data encryption keys protected from unauthorised distribution and copying?

    If they are asymmetric, how is the master key protected from unauthorised access and distribution? How many people have access to the recovery password and how many pieces is it in?

    "Hopefully you feel confident with your responses, but that's not all it takes to keep secrets safe. It's a good start", he notes.

    And now it gets interesting, as the Sophos engineer notes Google's mission statement, which he claims is "to organise the world's information and make it universally accessible and useful.”

    Yes, he says, they are doing an amazing job.

    "For instance, I was generating some PGP keys at this website I found called iGolder", he adds.

    iGolder, he asserts, puts up a page to communicate securely with the site, a site member or your friend. All using PGP keys.

    "Out of curiosity, I decided to execute a Google web search on "BEGIN PGP PRIVATE KEY BLOCK" which finished with about 29,500 results", he says, adding that, on the first page of results, six out of ten results pointed to a rendered webpage or an ASCII Armor (.asc) file (5 results) with the private key block exposed.

    He goes on to say in his latest security posting, he didn't want to assume that 50% of the 29,500 results pointed to ASC files.

    Refining the Google search to "BEGIN PGP PRIVATE KEY BLOCK filetype:asc", meanwhile, resulted in 21,300 results.

    The problem here, says Schwartzberg, is how many entities implemented PGP and left their private key block to be readable on their public web site?"

    The Sophos senior engineer reports that - from a percentages standpoint, slightly more than one half of one per cent (122) of all the ASC keys indexed by Google are private keys, although, he observes, from a data protection standpoint, that's still 122 too many.

    Those 122 entities, he explained, went through the process of implementing PGP as their form of encryption to protect their secrets, but the secret to their secrets is public.

    "Any of them having a data breach will feel 100% exposed, and ramifications will quickly follow", he says.

    The bottom line? Schwarzenberg advises IT professionals to review their organisation's practices for securing data, even if already implemented.

    Dropping the ego and not resting on laurels, he says, is always a good first start.
    Millard Baker and pumpingiron22 like this.
  2. HiddenHippie

    HiddenHippie Member

    This is exactly why you do not put it in a signature> it sucks and is an extra step. But anyone vending should provide it on an initial contact basis. I personally like to go an extra step (that ofen frustrates a vendor) and use and then drop that link info into a PgP message. So when they decrypt the PgP message, they still have to view the self destructing link. I like to do this so I know my info is not setting in some vendors inbox forever. Layers upon layers of security makes me feel better.