LAST YEAR, I read a computer security checklist developed by Scott Granneman at Bryan Consulting. I was interested in his checklist because I watch at least two people an hour visit my blog site in search of address books, phone numbers and other data that could prove useful when making sales calls or bulk mailings. If you have a server in the office and you sync your phone’s address book onto the server, you’re someone with valuable information.
Because if your sync program does not encrypt your contents, it’s possible to find your stuff just by asking Google for the information. You have to know what you’re looking for but it’s not that difficult to get surprising amounts of information. Google excels at drilling through file piles faster and more exactingly than any other service used today. I have watched others do it to me.
Google can also be used to finger vulnerable parts of your information system. It can discover passwords, point out well-organised address books and offer pathways to details you really should not be reading. Once you have an important detail like a date of birth, you could pay a speciality search service like Zaba Search for much more information than Google has in its index.
I can see people doing this by looking at details emerging in the log files of my web servers. Those log files show me visitors who know how to use Google’s advanced search capabilities. Some people know that when you put quotation marks around phrases, or put a "+" in front of required words or a "-" in front of words that should not appear, they can get very specific results.
Others just use free tools like FaganFinder to rapidly configure Google to drill across millions of pages in search of very valuable information.
Say you want to see budget submission documents floating on the internet. Just include the search operator "filetype" along with your search request. Then ask Google for "budget filetype:xls" and see what you find.
You should get more than 350,000 hits. When you skim through the first three pages, you'll notice some items of interest to an attacker.
For example, if you play around with Google’s "intitle" operator, you can often see things that web owners don't want to share. The “intitle” operator yields surprising results in directory listings that start with "Index of", and if you run this query, you will see thousands of pages that prove my point: intitle:"index of" password. Although many of the 192,00 results are plain rubbish, others reveal plain-text passwords and still others could be cracked using common tools like Crack and John the Ripper.
Every week for the past five years, chancers have searched my web sites for these phrases: passwd, htpasswd, noindex, users.pwd, web_store.cgi, and xls. Some of these words relate to turnkey shopping cart software and web-enabled Access databases. Unless those files sit behind secure directories, they can be accessed by users without prior approval.
It’s easy to find web sites full of words and phrases that reveal sensitive information. You can see such a listing at Googledorks, a site that anyone with password-protected pages should visit. With pointers from boards.ie discussions to freely available Perl scripts, you could use the the Google Web API with scripts that automate your work and open your eyes to your vulnerabilities.
Armed with your intelligent guesswork, Google makes it easy to unearth dangerous information. The problem isn’t Google’s pernicious search capabilities. The problem sits in your office—blissfully unaware people who think no one would find their stuff among the billions of files on the internet.
Sharing records between organisations means dealing with complex systems that have many points of potential failure. Anytime you see simple-to-use internet publishing solutions you should remember that simplicity in use often degenerates into easy exposure of passwords, if the system is not set up and audited.
Google for "_vti_pvt password intitle:index.of" and you may discover passwords for Microsoft Front Page websites.
If you create web content that you would rather remain out of view, you should learn how to diredt Google and other search engines not to index that content. Several top-flight analysts, including O'Reilly Publications, have written tutorials on "Removing Your Materials From Google" and this skill should be an essential element of best practise for anyone permitted to upload material to the web.
Published by the Irish Examiner as "Inside View" on September 23, 2005.
Scott Granneman -- "Googling Up Passwords"
Tara Calishain and Rael Dornfest -- Google Hacks ISBN 0-596-00857-0