A researcher has revealed this week how easy it can be to find the private keys that are supposedly securing organisations’ sensitive data. No clever hacks or tricks of the trade are necessary, just a simple Google search.
After he claimed that a web search on ‘BEGIN PGP PRIVATE KEY BLOCK’ gave 29,500 hits, I decided to test this out myself (with a few tweaks) and the number of keys out there is indeed staggering. It’s not clear how many of them are real or provide access to valuable information, but presumably some proportion of them do. And that’s worrying.
Many are probably thinking this problem doesn’t apply to them. Maybe they have passwords somewhere. Maybe they’ve checked their public folders and moved the keys.
However, what the above Google searching demonstrates is just how vulnerable keys are when they are not stored in hardware. These ones happened to be found by a web spider. But the same applies to keys inside an organisation once a Trojan or virus gets in and runs a spider of its own.
So, how protected are your keys? Try searching ‘BEGIN PGP PRIVATE KEY filetype:asc site:yourdomain.com’. If you get any hits, it might be time to revisit your key management procedures…