CUBA PWNED - Government Infrastructure Security Audit

Just completed a passive OSINT assessment of 131 Cuban government domains. What I found was... interesting.

KEY FINDINGS:

- WordPress REST APIs wide open on Health Ministry (sld.cu) and University of Havana - 14 admin users enumerated
- The IT Security team "SegInf" at UH.cu got exposed by their own misconfigured API (the irony)
- Military sites (MINFAR) leaking camera metadata - identified NIKON D5600, Sony A7S II, Canon 6D Mark II
- Communist Party website claims to run on "Windows 95" - actually Drupal 10 + PHP 8.1.20 (deliberate obfuscation?)
- ETECSA (state telecom) running their own internal Certificate Authority with 12-YEAR validity
- Found exact GPS coordinates of military customs HQ embedded in HTML meta tags
- Interior Ministry (secret police) runs their own isolated DNS - trusts no one, not even ETECSA
- Anti-US regime using Google Analytics on government sites - sending visitor data to US servers
- Personal Gmail accounts used as official contact on .gob.cu sites
- State media still using Adobe Photoshop CS6 from 2012

Plot twist: The Agriculture Ministry (minag.gob.cu) has BETTER security headers than the Military. Tractors > Tanks.

Full methodology: Passive reconnaissance only. DNS records, HTTP headers, SSL certs, WordPress API enumeration, EXIF metadata extraction. No exploitation, no unauthorized access.

1,494 files | 30 MB data | 131 domains | 64 emails | 14 WordPress users exposed

This is what happens when you don't strip EXIF metadata and leave your APIs unprotected.

Check it out here: https://github.com/Ringmast4r/Cuba 

---

#OSINT #CyberSecurity #InfoSec #Cuba #GovernmentSecurity #WordPress #MetadataMatters #EXIFData #PassiveRecon #SecurityResearch #RedTeam #BugBounty #Hacking #CyberIntelligence #ThreatIntel #SecurityAudit #WebSecurity #APISecurity #DataExposure #PrivacyFail #OpSec #CubaLibre #SecurityAwareness #PenetrationTesting #EthicalHacking #CyberNews #InfoSecCommunity #HackerNews #TechSecurity