Another case of too much information being present in files published online: the main website of the Dutch government, overheid.nl. Running FOCA Free on site:overheid.nl and filetype:{pdf,odt,doc,docx,xls,xlsx,ppt,pptx} yields 1527 documents (.txt), containing 350 users (.txt), 184 folders (.txt), 14 printers (.txt), 166 pieces of software (.txt) 4 operating systems (.txt) and a few email addresses. Furthermore, FOCA inferred 311 clients and 21 servers (.jpg): most with their OS identified, many with additional software identified. (Note that FOCA can infer, albeit imperfect, information about a single client or server from multiple documents.)
Great example of yet more low risk — otherwise I would not have published the results here — but nonetheless needless information disclosure.
For more, see the previous post about the U.S. Cyber Security Act 2012.
For more, here is a partial translation of this post in Dutch from April 2011:
Once upon a time, the Dutch National Communication Security Agency (NL-NCSA) was located at Cistron, a Dutch ISP in Twente. In 2001, the NL-NCSA was physically and administratively moved to the Dutch General Security & Intelligence Agency, the AIVD. In a monkey-see-monkey-do imitation of this original finding by Henk van Ess (WebWereld, 2010-02-05), I downloaded all .pdf news bulletins issued by NL-NCSA from here and applied exiftool to examine the data. Result: the old bulletins (still) contain too much needless metadata. I educated-guess that these documents were -really- created on AIVD computers. If true, the metadata probably gives some clues about those systems. For example, Author and Creator reveal (assuming that this is not disinformation):
P1140 Nieuwsbrief -4 NBV aug. 2006.doc – Microsoft Word
P1140 G:DIRECTIE.3NBVNBV – NieuwsbrievenOktober 2006Nieuwsbrief NBV okt. 2006.doc – Microsoft Word
P1140 G:DIRECTIE.3NBVNBV – NieuwsbrievenDecember 2006Nieuwsbrief NBV dec. 2006.doc – Microsoft Word
P1140 G:DIRECTIE.3NBVNBV – NieuwsbrievenApril 2007Nieuwsbrief NBV apr. 2007.doc – Microsoft Word
P1140 G:DIRECTIE.3NBVNBV – NieuwsbrievenJuni 2007Nieuwsbrief NBV jun. 2007.doc – Microsoft Word
P1140 NBV nieuwsbrief aug_2007_wijzCO7HE.doc – Microsoft Word
P1140 N:NBV – Nieuwsbrieven2007 OktoberNBV nieuwsbrief okt 2007.doc – Microsoft Word
p648 C:DOCUME~1p648LOCALS~1TempnotesE259CDNBV nieuwsbrief dec. 2007.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2008 MaartNBV nieuwsbrief mrt. 2008.doc – Microsoft Word
P1140 NBV nieuwsbrief juni 2008.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2008 AugustusNBV nieuwsbrief aug. 2008.doc – Microsoft Word
P1140 NBV nieuwsbrief okt. 2008 v0.8.doc – Microsoft Word
P1385 C:DOCUME~1P1385LOCALS~1TempnotesE259CDNBV nieuwsbrief dec. 2008 v0.5.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2009 FebruariNBV nieuwsbrief feb. 09 v0.3.doc – Microsoft Word
P1140 NBV nieuwsbrief apr. 09 v0.3.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2009 JuliNBV nieuwsbrief juli 09 v0.3.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2009 septemberNBV nieuwsbrief sept. 09 v0.3.doc – Microsoft Word
P1140 N:AlgemeenNieuwsbrieven2009 NovemberNBV nieuwsbrief nov. 09 v0.4.doc – Microsoft WordMind that Author (probably NT-username or computer name) is always P1140 except in December 2007 (p648) and 2008 (P1385). Did computer P1140 break or had user P1140 taken a Christmas holiday, as opposed to December 2006? If P1140 is a user, this possibly is a clue for finding matching Facebook/Hyves-profiles to reveal P1140‘s identity. Here is the raw metadata: 20110416_NBVnbmeta.txt (I left out documents that did not contain metadata). The Producer-field suggests that the news bulletins between 2006 and 2009 have been authored using Acrobat PDFWriter 4.05 voor Windows NT. For some other AIVD .pdf publications, exiftool shows this metadata: 20110416_AIVDmeta.txt. All metadata combined in one CSV file: 20110416_exifAIVD-csv.txt. Furthermore, Author and Last Modified By are present in a Word document: 20110416_AIVDWorddoc.txt.
EOF.
LOL. Same with amsterdam.nl