Google Dork Password for Nuclear Regulatory Commission


I found a spreadsheet containing a nuclear materials database credential on Google. The technique used was very simple, but I have to wonder why such a document misplacement was overlooked. Maybe people are afraid to tell them they just stumbled upon a nuclear system fearing they might get disappeared. Well, I decided to contact them and hilarity ensued. The database was relatively benign, but the saga went on for a little longer than it should. This also resulted in my first interview for a major publication, The Guardian.

Read More

Carry On Leaking: When Corporate Security Goes Really, Really Wrong

I had a nice time being interviewed by The Guardian regarding my disclosure of a password leaked from the Nuclear Regulatory Commission. While the NRC insists that this is a non-issue (and in the case of this protected system was the case), it exposes a deeper and more fundamental problem regarding how  systems are secured in the first place. First, the fact that this one file and nothing else in that directory was visible indicates Discretionary access controls rather than Role-based or mandatory. Furthermore, it shows that this type of problem can lie unsolved for years and affect more systems than people realize.

The Guardian: Carry On Leaking: When Corporate Security Goes Really, Really Wrong