|
its away into the wrong hands. But what about other application log files that have common, known elements? How about configuration files? Spreadsheets? Accounting software? I think you get the point. Searching Google for these known application fingerprints will inevitably bring up "interesting" results. By the way, there are entire web sites devoted to sole purpose of sharing Google queries that will result in juicy googlebits such as passwords, social security numbersand yes, credit card numbers. And although I won't list any of those sites here, they are not hard to find (hint: use Google!).
Incidentally, one of the things that makes these queries possible is Google's support of advanced operators. Google supports a growing number of these operators which help narrow down the output and generally provide a more specific result set. Using Google's advanced operators, you can even limit a searches to a specific domain or even filetype. For example, the following query searches registry files looking specifically for a text string beginning with "Username" and the word "putty" (PuTTY is a free implementation of telnet and SSH for the Windows and Unix platforms):
ext:reg "username=*" putty
If successful, the query would result in a list of username to machine mappings for folks who use puTTY. Armed with this useful information, an attacker could then possibly launch a brute-force password guessing attack against the target (assuming the. target's firewall allowed for inbound SSH connectivity). As you can see, coming up with searches that reveal Googlebits is mostly an excercise of the imagination.
As stated on their corporate website, Google's mission is to "organize the world's information and make it universally accessible and useful". So far, I'd say Google is doing an excellent job in fulfilling their mission statement. Are you upset that Google's database contains sensitive personal information such as credit card numbers? Me too. And though I won't give Google a complete pass, the primary parties at fault here are web site operators and web users (you and me). If you operate a Web site, please don't leave config files, log files, and other files that contain sensitive information sitting on your web server! And if you enjoy the many services the web has to offer, please understand that any information you send to a web site has the potential to show up in a Google search. I can't tell you how many forum posts I've stumbled on during a Google search that contained things like cell phone numbers, driver's license numbers, and even social security numbers.
You have been warned.
This article may be reprinted or published for free with the condition that the author and site information below is retained.
David Andrew is an Information Security Professional specializing in vulnerability assessment and penetration testing. He is the primary operator and owner of Security Tricks, an online resource devoted to computer security and spyware help geared towards the "average Joe". If you would like to contact David for interviews or other inquiries, please e-mail him at daveATsecuritytricks.com. If you are interested in learning more about information security, please visit Security Tricks.
Copyright 2006, David Andrew, Security Tricks.
|
