« Have some fun with Sun's Scott McNealy at RSA Conference | Main | Cisco's John Chambers beats his security drum »
Things you don't want Google to find
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organisations to post those goodies online for anyone to find.
"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them," Kurtz said.
The ultimate online resource for Google hacking btw is this website. (update: due to high traffic, the site is currently (2/16/2006 11:52AM Pacific Time) down. Make sure you check it out at a later stage)
Here are some samples taken from the RSA conference presentation:
A search for Payrol.xls turned up a nice overview of employees and their hourly wages.
not very advanced, but still rather effective: "not for distribution" and "confidential"
So you removed that file with the password, but did you think about Google cache?
Yes, that's the management interface for a Netgear router that was found using Google. It still had the default login and password settings. What more do you want?
Search for sites with "Remote desktop web connection" in the title, and you'll find... remote desktops that you can take over. If the user sees you taking over, simply say that you're the system administrator working to bolster the user's security. Kurtz did that once during a security audit and it worked well.
Death records with a social security number. search for: ssn 111111111..999999999 death records
and more social security numbers, these were used by a university to identify their students. It's illegal to use social security numbers for that, but this school apparently didn't care.
Technically not a Google hack, but the robots.txt file will tell you which directories the website operator doesn't want you to see. Therefore it should be worth a look. This one is for the site of the whitehouse.gov
George Kurtz
Tags: rsa 2006, RSA conference, security, mcafee
TrackBack
Listed below are links to blogs that reference this entry: Things you don't want Google to find.
TrackBack URL for this entry: http://blogs-1.gos.vnu.net/mt-tb.cgi/79810
This week in San Jose, the art of Google hacking was shown for RSA Conference attendees by McAfee�... Read More
Two very quick links - both worth a read about Google and enumerating things which should maybe kept secret. Things you don't want Google to find "Hacking Google" isn't exactly new. That is, using the search engine to look for confidential informati Read More
Ive been saying for quite a while that true hackers, arent the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing strange. I remember a year or two ago... Read More
???? ??????? ????? (???? ?????? ???) ?? ??? ??????? ??????? ????? ???? ????? ????? ?? ?? ?? ????????? ????? ?????? ???? ????. Read More
Two very quick links - both worth a read about Google and enumerating things which should maybe kept secret. Things you don't want Google to find "Hacking Google" isn't exactly new. That is, using the search engine to look for confidential informati Read More
Report from the RSA conference on finding all sorts of stuff you're not supposed to see. It can be automated too. For instance, Seach for a robots.txt file to find out what a webmaster doesn't want you to 'see'(well doesn't... Read More
? Digg ??? McAfee ? George Kurtz ? RSA Conference 2006 ????? Google ??????????????Things you dont want Google to find - screenshots???? Things you dont want Google to find ??... Read More
Google weiß alles. Na ja, zumindest dies und das. Und dabei sind dann auch Dinge, die Google mal besser nicht im Index haben sollte. Und das hat Schorsch Kurz, zur Zeit Senior Vizepräsident für Risikomanagement beim McAfee, recht eindrucksvoll demon... Read More
How to find secret stuff through Google.... Read More
Interesting post from Silicon Valley Sleuth (thanks Greg for the hookup) about things you don't want Google to find... Be careful, boys and girls... It's out there. And not just photos of you as a fourth-grader with braces... Read More
The Silicon Valley Sleuth blog reports that McAfees senior vice president for Risk Management, George Kurtz, speaking during a recent conference, showed how much private data and passwords are out in plain view with a simple Google search. Examp... Read More
There was a presentation at Wednesday's RSA Conference about using Google to uncover passwords, Social Security Numbers, and other things that your organization probably wants to keep hidden. Silicon Valley Sluth had a nice write-up about it. I was... Read More
Interesting things found by Google. Read More
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organi... Read More
TITLE: McAfee V.P. Demos How to Hack w/Google URL: http://BLOG.DJAWEB.ORG/2006/02/20/mcafee-vp-demos-how-to-hack-wgoogle.aspx IP: 64.202.189.135 BLOG NAME: the 60 billion $$ man DATE: 02/20/2006 03:17:41 PM Read More
It’s raining in Dubai. I can only remember one other time in the 8 months I have been here that it has rained. It was nice to wake up and go out on the balcony and feel moisture in the... Read More
Good article on how some people share information that they don't know that they're sharing or not supposed to share. Things you don't want Google to find Read More
Download the sheet music for your current favorites and explore our ... Download sheet music for Grammy?-winning and related titles, composers, and artists... Read More
need an ssn? just google ... Read More
need an ssn? just google ... Read More
Spanish
I think this one should have been mentioned ..
http://johnny.ihackstuff.com/index.php?module=prodreviews
Posted by: Ben | February 16, 2006 3:20 PM
Re: Ben:
You're right. just added the link to the post's body.
Posted by: SV Sleuth | February 16, 2006 5:34 PM
Ok, that's just scary.
I think I'll go through my server's files again.
Posted by: daedal | February 16, 2006 8:12 PM
holy hell.. as i read through this article all i could think was "wow, looks like someone doesn't know how to take screenshots.."
dont use a camera to take screenshots, use software on the computer or simply "print screen" on your keyboard!
Posted by: Daniel | February 16, 2006 8:20 PM
RE: Daniel:
These are photos of slides with that were shown at the RSA Conference in San Jose this week. Not pictures of my monitor.
Posted by: SV Sleuth | February 16, 2006 8:57 PM
looks like it's picts from a presentation, thanks though.
Posted by: John | February 16, 2006 9:00 PM
Daniel-
Wow, technology has really advanced quite a bit that you can capture a screenshot of an image from a projector by pressing 'Print Screen'. I keep trying that, but I just get a screenshot of my own PC. Are you using Vista or something?
Posted by: RJ | February 16, 2006 9:07 PM
What are you talking about Daniel? They are pictures of a live presentation. You know, like powerpoint...on a big screen...using a projector. Think before you flame.
Posted by: jbro | February 16, 2006 9:09 PM
Probably old news, but it's amazing what kind of cams are open to the public. See: http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html for more info.
Posted by: John Bokma | February 16, 2006 9:30 PM
Did you know that you can hit Alt+PrintScrn to take snap shots of what is on your computer screen? It beats pulling out a camera and transferring files.
Just a heads up!
Posted by: Big Dog | February 16, 2006 9:54 PM
@Big Dog and others, I think the author already made clear that it was a presentation and what you see are photos taken during the presentation itself. I doubt one can just walk to the front, plug in a USB memory stick, and start pressing Alt+PrintScrn...
Posted by: John Bokma | February 16, 2006 10:03 PM
wow thats pretty scarry
Posted by: The Information Bank | February 16, 2006 10:17 PM
Thats pretty interesting, i didn't know it was that easy to hack into stuff
Posted by: Gage Black | February 16, 2006 10:18 PM
My mistake, sorry.. i didnt realize that this was a presentation, obviously i didnt read the article closely enough. ..and now i look like an idiot..
but anyway, it was a very interesting news post, thanks for sharing
Posted by: Daniel | February 16, 2006 10:58 PM
SV Sleuth: i think it might be easier to understand that the screenshots came from a presentation if instead of reading "Here are some examples:" change it to "Here are some samples taken from the RSA conference presentation:"
..it might clear up the confusion for some readers..
Posted by: Daniel | February 16, 2006 11:02 PM
sorry for the triple-post.. but i just want to show that it wasnt just me that was confused about the screenshots..
check out the comments: http://digg.com/security/Things_you_don_t_want_Google_to_find_-_screenshots
Posted by: Daniel | February 16, 2006 11:08 PM
Great post, I wasn't aware of the remote desktop and router things you could do. Boy thats bad =(
Posted by: Jesse | February 16, 2006 11:39 PM
I love this google hack stuff, makes great fun one nothing else is going on.
Posted by: Roomba | February 17, 2006 12:23 AM
Hadn't considered looking at a site's robots.txt. Interesting article.
--
SouthBeachCasa
http://www.southbeachcasa.com
Posted by: Derek Hampton | February 17, 2006 12:23 AM
Hehe, great job collecting this
Posted by: Ivan Minic | February 17, 2006 12:53 AM
Uh, SS death records are public. Not a hack.
Posted by: Anonymous | February 17, 2006 10:09 AM
How long before spammers start position themselves for the search queries in this article?
They already do position themselves for all kinds of MP3 queries :-(
Posted by: David Kaspar | February 17, 2006 10:58 AM
Was is checked whether Kurtz just fell into some honeypots ? This seems to be reasonable as this talk was very LONG after JOHNNY LONG was the first who introduced this topic. You can read all this stuff in his book. Quoting the ideas of a book is not a real hack.
Posted by: karl | February 17, 2006 1:46 PM
Great Article
Just goes to show that the weekest link in any security system is still human ;)
Posted by: Big Ian | February 17, 2006 1:48 PM
Heh very nice :P
Posted by: dave | February 18, 2006 12:25 AM
http://www.google.com.au/language_tools?hl=en
guys... check out this google's mistake... its funny..... see what u get in the end....
Try this...
1. Open google
2. click 'language tools' link.Google Link
3. Write "Aishwarya's mom is very nice" in 'Translate text:' textbox.
4. Select "English to Spanish" in the below combo.
5. Press Translate and wait for translation.
6. Now copy the translated text from the above text and paste it in
the 'Translate text:' textbox.
7. Select "Spanish to English" in the below combo.
8. Press Translate and wait for translation.
9. Enjoy
Posted by: Anonymous | February 19, 2006 12:53 AM
it is scary, the word security does have any meaning this days ?
Posted by: Alex | February 19, 2006 6:28 AM
Scary, very scary.
Posted by: George Hayduke | February 19, 2006 5:00 PM
security is what is in your brain , the rest is data.
personal security is 9mm.
Posted by: Hemaworstje | February 21, 2006 12:24 AM
This is just the tip of the iceberg... you would believe all the email and stuff you can read. People are in need of a wake-up call to finally get serious about security... then again, there were plenty of warnings about 911 and look where that got us? Oh, well....
Posted by: Cowicide | February 21, 2006 10:07 PM
here you go. what you all been wanting to know. how its done why google and the other search engines are so hush and so excited.
check out the truth about webspiders. This might not be new for the advance surfer but how google got involved and became so huge is definitly not public knowledge. also why yahoo dumped google. where did amazon go with thier browser?
MSN is in a dilema but I have spoon fed them all that i gave google and yahoo. to name a few.
http://spaces.msn.com/spiderbotsownzuall/
my blog shows you the way. wanna compete against google? I have the key right there. Free. Google got greedy!
Posted by: xspider2006 | March 11, 2006 8:53 AM
Hello ! This is very [url=http://www.google.com/bb497]good[/url] site !!
Posted by: WebMan | March 15, 2006 11:34 PM
Another interesting search is for credit card numbers using the number range search.
Posted by: Ann Nonymous | April 25, 2006 12:16 AM
Yeah that would be very scary to know that someone can find out my credit card number on google.
Posted by: Champ Bailey | May 9, 2006 8:18 PM
Scarry!! its amazing what people reveal online!
Posted by: hacker not cracker | June 14, 2006 7:59 AM
shut up is that possible lol
Posted by: amde | January 27, 2007 2:24 PM
Search Hacker does this trick too, but can be used to find variety of file formats like wav, mp3, doc, cvs, wma, mpg, xls, zip, mid, mpeg, pdf, rar, avi, mov, txt and torrents. I tried Search Hacker and it works, but some results return errors. Can’t blame Search Hacker for that, just skip and try another result. http://www.searchhacker.com
Search Hacker has a sister site called Cam Hacker which can be used for searching unprotected live webcams. Search Hacker deservers to be in your bookmarks, however, if you are a hard working sucker, then you can try searching the hard way. http://www.camhacker.com
Posted by: Vidal | April 12, 2007 12:18 PM
Erease all google everything!
Posted by: Brent Norvell | April 21, 2007 9:09 AM
Hi
Ive been saying for quite a while that true hackers, arent the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing
Posted by: Pioneer | September 28, 2007 11:04 PM