The National Security Agency has produced a book to help its spies uncover intelligence hiding on the web.
The 652-page book is titled Untangling the Web: A Guide to Internet Research and was published by the Center for Digital Content of the National Security Agency.
It was released by the NSA last year after a FOIA request filed by MuckRock, but that version is a redacted black and white copy. After doing a quick Google search, LeakSource has discovered the proper unredacted version of the book (source/pdf), in color with working hyperlinks. It looks like it has been on the Internet since 2007.
The author’s are revealed to be Robyn Winder and Charlie Speight, whose names were redacted in the MuckRock version.
The most interesting is the chapter titled “Google Hacking.”
Say you’re a cyberspy for the NSA and you want sensitive inside information on companies in South Africa. What do you do?
Search for confidential Excel spreadsheets the company inadvertently posted online by typing “filetype:xls site:za confidential” into Google, the book notes.
Want to find spreadsheets full of passwords in Russia? Type “filetype:xls site:ru login.” Even on websites written in non-English languages the terms “login,” “userid,” and “password” are generally written in English, the authors helpfully point out.
Misconfigured web servers “that list the contents of directories not intended to be on the web often offer a rich load of information to Google hackers,” the authors write, then offer a command to exploit these vulnerabilities — intitle: “index of” site:kr password.
“Nothing I am going to describe to you is illegal, nor does it in any way involve accessing unauthorized data,” the authors assert in their book. Instead it “involves using publicly available search engines to access publicly available information that almost certainly was not intended for public distribution.” You know, sort of like the “hacking” for which Andrew “weev” Aurenheimer was recently sentenced to 3.5 years in prison for obtaining publicly accessible information from AT&T’s website.