This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

CaffSec SITREP - Cyber Intelligence for the masses

Leveraging the power of Google Alerts, I have started posting relevant news articles, public exploit releases, and other tidbits of information related to Cyber Security and Information Assurance.

The best way to keep you and your organization prepared for unknown threats is to keep tabs on the current state of the security of the internet.

There are currently three ways to view SITREP messages:

Twitter, following @CaffSec
Tumblr through the CaffSec SITREP blog
The CaffSec Daily SITREP Online Newspaper

Please enjoy these valuable resources!

New @CaffSec Twitter Feature: #exploitAlert

I've taken the Google Alert "zero day" exploit feed and created automated Twitter notifications.

You can get updated #exploitAlert notifications by following my Twitter account, @CaffSec.

The feed currently monitors PasteBin for new exploits.  Expect additional feeds soon!

Monitoring for Leaked Company Documents through Google Alerts

This article is part of a series on using Google Alerts to protect you, your family, and your company through early notification of data breaches and leaks.

Previous Articles:

Misuse of Your Personal Information and Google Alerts
Monitoring for New Zero Day Exploits through Google Alerts


If you're following good security practices, all of your internal company documents are properly labeled with important labels such as "Company Proprietary", "Company Sensitive" or "Do Not Distribute".

In fact your company has probably established a standardized header for use on all sensitive documents.

So, when's the last time you performed a Google search for this header?
When's the last time you searched to see what documents are being exposed to the web hosted on your domain?

The results might surprise you.

The Google Hacking Database has some excellent information on how to use Google to find sensitive files.  It's very easy to use some of the search queries there, add your company name or standard header, and see what happens.

In fact, even if you find no results, it would be a great idea to setup Google Alerts to monitor for documents posted (accidentally or otherwise) which appear to be internal company documents.

Here's an example, which should produce results for (hopefully!) intentionally posted documents:

site:blogspot.com filetype:doc OR filetype:xls OR filetype:pdf
The above query will return common office documents which are hosted on blogspot.com, or any subdomains.  Replace blogspot.com with your main domain, and see what results you find.

Beware: Many hackers already know these tricks, and will use them to perform reconnaissance on your company before initiating an attack.  Even the most mundane documents, such as a list of email addresses and phone numbers, could be used to assist in launching a spear phishing (targeted phishing) attack against your company.

Monitoring for New Zero Day Exploits through Google Alerts

In case you haven't read it, I previously posted a how-to for using Google Alerts to monitor for misuse of your personal information...

Misuse of Your Personal Information and Google Alerts

Today I'm going to expand on that post, and show how advanced Google search strings can be used to monitor for other things, such as when new zero day exploits are posted publicly to Pastebin.

For those not familiar with it, Pastebin is a large site which allows anyone to post large amounts of text.  One of the common uses for this site is the public disclosure of new vulnerabilities and exploits.

To leverage some of the more powerful features of Google, use advanced search syntax to narrow your search.  An excellent quick reference is available at Google Guide.

Using our previous method to create an "As it happens" alert, let's try writing a custom query which monitors for new exploits...

intext:exploit OR intext:vulnerability OR intext:"zero day" OR intext:"0day" site:pastebin.com
Further tweaking will allow you to target a specific software or manufacturer, such as...
intext:microsoft intext:exploit OR intext:vulnerability OR intext:"zero day" OR intext:"0day" site:pastebin.com

I have provided an example RSS feed for a wide zero day search here.

Of course, this won't give you up-to-the-minute searching of Pastebin, but it's better than not monitoring at all.

Malware Analysis Lab - New Feature!

I'm happy to announce that I have created a Google code project called the Caffeine Security Malware Analysis Lab.

At this project, you will be able to see my current research into unknown malware on my honeypot, and even contribute to my research!

I have uploaded source code for xsyslog and ssyslog, which can be accessed through the source code svn repository.

Checkout the project now!