Educause Security Discussion mailing list archives

Re: SSN file scanner (C source available)

From: Wyman Miles <wm63 () CORNELL EDU>
Date: Fri, 12 May 2006 08:43:31 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We've been distributing an in-house tool called "spider" for a while whose
purpose is similar.  spider runs under any UNIX flavor, and there's now a
Win32 variant.  It'll take an arbitrary list of regexes (we look for SSNs
and credit card numbers, with the rare foray into things like university
account codes).

The linux version outputs reports in HTML, translating linux paths to
Windows paths if you're running it against a dead Windows machine; this is
useful for incident response.

Link to the release version is here:

<http://www.cit.cornell.edu/security/tools>

- --On Thursday, May 11, 2006 5:21 PM -0500 Graham Toal <gtoal () UTPA EDU>
wrote:

Here's a little freebie for y'all...

http://www.gtoal.com/ssn/

This is a C command-line program, whose parameter is a
directory, eg:  ".\findssn ."  or ".\findssn c:\ > d:\ssn.log"

It scans all the files in that directory and below,
looking for strings within the files of the forms
123-45-6789 and 123456789 - it then runs an SSN
validation function on the numbers, in an attempt
to find files containing SSNs.  You'd want to use
this on every system that is not supposed to have
any SSNs stored on it...

This version is for WinXX systems only (no mac/unix yet)
and you should compile it yourself.  (What, you're a
security guy and you're asking for an executable from
a stranger?  Sheesh! :-)  Go let the free LCC compiler
if you need one)

It's not extensively tested but it worked well enough
for me to save me from embarassment once or twice. If
you run it on your whole disk, expect to wait some time
(that is not to say it isn't fast, just that disks are
big)

Later versions may do better summarizing and give more
weight to strings of the nnn-nn-nnnn form as being likely
SSNs.

It does not rule out any files, so you should expect some
hits from .dll files, .bmp, .exe etc.  The summary info
and the SSN validity check between them ought to be enough
to quickly rule out the false positives however.

Any user-contributed mods will be greatly welcome.


Graham




Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBRGSC9sRE6QfTb3V0EQLQBACg4r1DbtRRMP9EH2ajlm6GWEm8yiwAoOvj
yb4yAey3UZFn7wwfiqjBY2p4
=In2M
-----END PGP SIGNATURE-----

Current thread:

SSN file scanner (C source available) Graham Toal (May 11)
- <Possible follow-ups>
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Roger Safian (May 12)
- Re: SSN file scanner (C source available) Graham Toal (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)
- Re: SSN file scanner (C source available) Steve Lovaas (May 12)
- Re: SSN file scanner (C source available) Gary Golomb (May 12)
- Re: SSN file scanner (C source available) Graham Toal (May 12)
- Re: SSN file scanner (C source available) Gary Golomb (May 12)
- Re: SSN file scanner (C source available) Wyman Miles (May 12)