Educause Security Discussion mailing list archives
Re: SSN file scanner (C source available)
From: Wyman Miles <wm63 () CORNELL EDU>
Date: Fri, 12 May 2006 08:43:31 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We've been distributing an in-house tool called "spider" for a while whose purpose is similar. spider runs under any UNIX flavor, and there's now a Win32 variant. It'll take an arbitrary list of regexes (we look for SSNs and credit card numbers, with the rare foray into things like university account codes). The linux version outputs reports in HTML, translating linux paths to Windows paths if you're running it against a dead Windows machine; this is useful for incident response. Link to the release version is here: <http://www.cit.cornell.edu/security/tools> - --On Thursday, May 11, 2006 5:21 PM -0500 Graham Toal <gtoal () UTPA EDU> wrote:
Here's a little freebie for y'all... http://www.gtoal.com/ssn/ This is a C command-line program, whose parameter is a directory, eg: ".\findssn ." or ".\findssn c:\ > d:\ssn.log" It scans all the files in that directory and below, looking for strings within the files of the forms 123-45-6789 and 123456789 - it then runs an SSN validation function on the numbers, in an attempt to find files containing SSNs. You'd want to use this on every system that is not supposed to have any SSNs stored on it... This version is for WinXX systems only (no mac/unix yet) and you should compile it yourself. (What, you're a security guy and you're asking for an executable from a stranger? Sheesh! :-) Go let the free LCC compiler if you need one) It's not extensively tested but it worked well enough for me to save me from embarassment once or twice. If you run it on your whole disk, expect to wait some time (that is not to say it isn't fast, just that disks are big) Later versions may do better summarizing and give more weight to strings of the nnn-nn-nnnn form as being likely SSNs. It does not rule out any files, so you should expect some hits from .dll files, .bmp, .exe etc. The summary info and the SSN validity check between them ought to be enough to quickly rule out the false positives however. Any user-contributed mods will be greatly welcome. Graham
Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -----BEGIN PGP SIGNATURE----- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBRGSC9sRE6QfTb3V0EQLQBACg4r1DbtRRMP9EH2ajlm6GWEm8yiwAoOvj yb4yAey3UZFn7wwfiqjBY2p4 =In2M -----END PGP SIGNATURE-----
Current thread:
- SSN file scanner (C source available) Graham Toal (May 11)
- <Possible follow-ups>
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Roger Safian (May 12)
- Re: SSN file scanner (C source available) Graham Toal (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Steve Lovaas (May 12)
- Re: SSN file scanner (C source available) Gary Golomb (May 12)
- Re: SSN file scanner (C source available) Graham Toal (May 12)
- Re: SSN file scanner (C source available) Gary Golomb (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)