Detecting Sensitive Information on Client Systems

1
Detecting Sensitive Information on Client Systems

• Charles Morrow-Jones
• Director, Security, Office of the CIO
• SECWOG September 7, 2006

2
What is Sensitive Information?

• For our purposes, data that are covered by
  various laws or commercial regulations FERPA,
  Ohio HB 104, PCI-DSS
• At OSU a major driver to identify sensitive data
  is the SSN Privacy and Safeguarding project (part
  of the BuckeyeSecure Program)
• While detecting SSNs is of paramount interest,
  other items such as credit card numbers, drivers
  license numbers or patient record numbers may
  need to be found on a case-by-case basis

3
Four SSN Detection Products

• Freeware/open source
• Spider (Cornell University)
• SENF (University of Texas)
• Commercial
• VONTU
• PowerGREP

4
Spider

• Four Versions Available
• Production versions
• Spider 4.0 for Linux
• Spider 2.1.9a for Windows
• Beta versions
• Beta test for Mac OS X
• Beta test for Windows

5
Spider

• Four Versions Available
• Production versions
• Spider 4.0 for Linux
• Spider 2.1.9a for Windows lt version tested
• Beta versions
• Beta test for Mac OS X
• Beta test for Windows

6
Spider for Windows -Assumptions-

• Microsoft 2000, XP or 2003
• Microsoft .NET 1.1 or higher installed
• Files are NOT encrypted, are not opened/locked
  by another process, are not system files (except
  some DLLs?), not sparse files (e.g. some
  databases).

7
What Can Spider look for?

• Credit Card and SSN searches built in
• User can supply other regular expressions
• Focusing on the SSN logic
• \b(001-9010-733750-772)-\d2-\d4\b
• \b\d3-\d2-\d4\b
• \b(001-9010-733750-772) \d2 \d4\b

8
Spider opening screen
9
Spider configuration screen
10
Spider logging options
11
OSU Machine Analysed

• Faculty laptop
• 2.13 Ghz processor, 1Gb memory
• 92 Gigabytes disk space, 20 used
• 244 suspicious files identified as possibly
  containing SSN(s)
• 15 file types reported, including a few .dll and
  .exe (plus .bmp, .wav and other oddities)
• Largest files were Eudora mailboxes - 6 of these
  were 90 megabytes or larger
• Handled zip files

12
OSU Analysis, contd

• Files can be put into three categories
• Almost certainly contains SSNs
• D\\Eudora\Attachments\OSU UBW 850
  GradesFINAL.xls
• Almost certainly doesnt contain SSNs
• C\\WINDOWS\system32\dllcache\wmm2res.dll
• Requires further analysis
• D\\Eudora\Out.mbx

13
SENF The Sensitive Number Finder

• Senf is a fast, portable tool (written in Java,
  runnable just about everywhere) for finding
  sensitive numbers. Use this tool to identify
  files on your system that may have Social
  Security Numbers (SSNs) or Credit Card Numbers
  (CCNs). -- from the SENF website

14
VONTU
15
VONTU Example, contd
16
PowerGREP Software
17
PowerGREP Software
18
Resources

• Michigan Overview
• http//safecomputing.umich.edu/tools/download/ccn-
  ssn_discovery_tools.pdf
• SPIDER
• http//www.cit.cornell.edu/computer/security/tools
  /
• SENF
• https//source.its.utexas.edu/groups/its-iso/proje
  cts/senf/
• VONTU
• http//www.vontu.com
• PowerGREP
• http//www.powergrep.com/