« Have some fun with Sun's Scott McNealy at RSA Conference | Main | Cisco's John Chambers beats his security drum »
Things you don't want Google to find
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organisations to post those goodies online for anyone to find.
"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them," Kurtz said.
The ultimate online resource for Google hacking btw is this website. (update: due to high traffic, the site is currently (2/16/2006 11:52AM Pacific Time) down. Make sure you check it out at a later stage)
Here are some samples taken from the RSA conference presentation:
A search for Payrol.xls turned up a nice overview of employees and their hourly wages.
not very advanced, but still rather effective: "not for distribution" and "confidential"
So you removed that file with the password, but did you think about Google cache?
Yes, that's the management interface for a Netgear router that was found using Google. It still had the default login and password settings. What more do you want?
Search for sites with "Remote desktop web connection" in the title, and you'll find... remote desktops that you can take over. If the user sees you taking over, simply say that you're the system administrator working to bolster the user's security. Kurtz did that once during a security audit and it worked well.
Death records with a social security number. search for: ssn 111111111..999999999 death records
and more social security numbers, these were used by a university to identify their students. It's illegal to use social security numbers for that, but this school apparently didn't care.
Technically not a Google hack, but the robots.txt file will tell you which directories the website operator doesn't want you to see. Therefore it should be worth a look. This one is for the site of the whitehouse.gov
George Kurtz
Tags: rsa 2006, RSA conference, security, mcafee
February 15, 2006 at 02:36 AM | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/t/trackback/24766/4263861
Listed below are links to weblogs that reference Things you don't want Google to find:
» RSA Conf: Google hacking for fun and profit from LABrat.com
This week in San Jose, the art of Google hacking was shown for RSA Conference attendees by McAfee�... [Read More]
Tracked on 16 Feb 2006 15:06:20
» Google and Security from Beer and Speech
Two very quick links - both worth a read about Google and enumerating things which should maybe kept secret.
Things you don't want Google to find
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential informati [Read More]
Tracked on 16 Feb 2006 19:54:42
» True Hackers from Robert Accettura's Fun With Wordage
Ive been saying for quite a while that true hackers, arent the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing strange. I remember a year or two ago... [Read More]
Tracked on 16 Feb 2006 20:15:42
» דברים שאנשים לא רוצים שגוגל ימצא from
כתבה מעניינת המראה (כולל צילומי מסך) כל מני מיסמכים שנמצאים בגוגל שככל הנראה אנשים לא כל כך מעוניינים שמנוע החיפוש ימצא אותם. [Read More]
Tracked on 16 Feb 2006 21:05:21
» Google and Security from Beer and Speech
Two very quick links - both worth a read about Google and enumerating things which should maybe kept secret.
Things you don't want Google to find
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential informati [Read More]
Tracked on 16 Feb 2006 21:05:38
» google hacking you from Every Bit You Make
Report from the RSA conference on finding all sorts of stuff you're not supposed to see. It can be automated too. For instance, Seach for a robots.txt file to find out what a webmaster doesn't want you to 'see'(well doesn't... [Read More]
Tracked on 16 Feb 2006 21:32:49
» 用 Google 尋找各種不適合公開在網路上的資料 from Gea-Suan Lin's BLOG
在 Digg 上看到 McAfee 的 George Kurtz 在 RSA Conference 2006 會場展示用 Google 找出來大批不適合公開的資料:Things you dont want Google to find - screenshots,原文在 Things you dont want Google to find 這,... [Read More]
Tracked on 16 Feb 2006 23:50:54
» Shorties from WhoTheHell.RU
Scientists, before and after - This is hilarious. A group of seventh graders wrote their opinions about scientists and were then taken to fermilab to meet real scientists. The difference between their new opinions and their original is amazing in a lot of [Read More]
Tracked on 17 Feb 2006 03:38:08
» G00913 haxx0rz g410r3 from Geschmacksberater
Google weiß alles. Na ja, zumindest dies und das. Und dabei sind dann auch Dinge, die Google mal besser nicht im Index haben sollte. Und das hat Schorsch Kurz, zur Zeit Senior Vizepräsident für Risikomanagement beim McAfee, recht eindrucksvoll demon... [Read More]
Tracked on 17 Feb 2006 09:09:40
» Secret stuff through Google from Apartment 47
How to find secret stuff through Google.... [Read More]
Tracked on 17 Feb 2006 09:29:52
» Things you don't want Google to Find from PR. Differently
Interesting post from Silicon Valley Sleuth (thanks Greg for the hookup) about things you don't want Google to find... Be careful, boys and girls... It's out there. And not just photos of you as a fourth-grader with braces... [Read More]
Tracked on 17 Feb 2006 15:27:51
» Its just too easy from SimplyComp Solutions Security Blog
The Silicon Valley Sleuth blog reports that McAfees senior vice president for Risk Management, George Kurtz, speaking during a recent conference, showed how much private data and passwords are out in plain view with a simple Google search. Examp... [Read More]
Tracked on 17 Feb 2006 17:47:35
» Can Google be used to hack PeopleSoft? from PeopleSoft Corner
There was a presentation at Wednesday's RSA Conference about using Google to uncover passwords, Social Security Numbers, and other things that your organization probably wants to keep hidden. Silicon Valley Sluth had a nice write-up about it.
I was... [Read More]
Tracked on 17 Feb 2006 19:03:48
» Google hacks from
Interesting things found by Google. [Read More]
Tracked on 18 Feb 2006 19:30:11
» Things you don't want Google to find from www.hulwa.com
"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organi... [Read More]
Tracked on 19 Feb 2006 09:53:39
» McAfee V.P. Demos How to Hack w/Google from the 60 billion $$ man
[Read More]
Tracked on 20 Feb 2006 15:17:41
» Stress Testing Kids and "Boondock" Thoughts from Illiterate Poet
It’s raining in Dubai. I can only remember one other time in the 8 months I have been here that it has rained. It was nice to wake up and go out on the balcony and feel moisture in the... [Read More]
Tracked on 21 Feb 2006 07:28:16
» Things You Don't Want Google To Find... from Eat A Blog
Good article on how some people share information that they don't know that they're sharing or not supposed to share. Things you don't want Google to find
[Read More]
Tracked on 21 Feb 2006 16:31:26
» MP3 download, Music CD, Online music from Digital Sheet Music Downloads from Supermusiconline.info
Download the sheet music for your current favorites and explore our ... Download sheet music for Grammy-winning and related titles, composers, and artists... [Read More]
Tracked on 15 Mar 2006 21:32:13
» Find an SSN via Google from Technology, Software Development, Project Management, Marketing News
need an ssn? just google ... [Read More]
Tracked on 24 Mar 2006 20:38:47
» Find an SSN via Google from Technology, Software Development, Project Management, Marketing News
need an ssn? just google ... [Read More]
Tracked on 24 Mar 2006 20:39:52
Comments
I think this one should have been mentioned ..
http://johnny.ihackstuff.com/index.php?module=prodreviews
Posted-by: Ben | 16 Feb 2006 15:20:12
Re: Ben:
You're right. just added the link to the post's body.
Posted-by: SV Sleuth | 16 Feb 2006 17:34:32
Ok, that's just scary.
I think I'll go through my server's files again.
Posted-by: daedal | 16 Feb 2006 20:12:58
holy hell.. as i read through this article all i could think was "wow, looks like someone doesn't know how to take screenshots.."
dont use a camera to take screenshots, use software on the computer or simply "print screen" on your keyboard!
Posted-by: Daniel | 16 Feb 2006 20:20:07
RE: Daniel:
These are photos of slides with that were shown at the RSA Conference in San Jose this week. Not pictures of my monitor.
Posted-by: SV Sleuth | 16 Feb 2006 20:57:28
looks like it's picts from a presentation, thanks though.
Posted-by: John | 16 Feb 2006 21:00:42
Daniel-
Wow, technology has really advanced quite a bit that you can capture a screenshot of an image from a projector by pressing 'Print Screen'. I keep trying that, but I just get a screenshot of my own PC. Are you using Vista or something?
Posted-by: RJ | 16 Feb 2006 21:07:32
What are you talking about Daniel? They are pictures of a live presentation. You know, like powerpoint...on a big screen...using a projector. Think before you flame.
Posted-by: jbro | 16 Feb 2006 21:09:53
Probably old news, but it's amazing what kind of cams are open to the public. See: http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html for more info.
Posted-by: John Bokma | 16 Feb 2006 21:30:58
Did you know that you can hit Alt+PrintScrn to take snap shots of what is on your computer screen? It beats pulling out a camera and transferring files.
Just a heads up!
Posted-by: Big Dog | 16 Feb 2006 21:54:47
@Big Dog and others, I think the author already made clear that it was a presentation and what you see are photos taken during the presentation itself. I doubt one can just walk to the front, plug in a USB memory stick, and start pressing Alt+PrintScrn...
Posted-by: John Bokma | 16 Feb 2006 22:03:41
wow thats pretty scarry
Posted-by: The Information Bank | 16 Feb 2006 22:17:26
Thats pretty interesting, i didn't know it was that easy to hack into stuff
Posted-by: Gage Black | 16 Feb 2006 22:18:55
My mistake, sorry.. i didnt realize that this was a presentation, obviously i didnt read the article closely enough. ..and now i look like an idiot..
but anyway, it was a very interesting news post, thanks for sharing
Posted-by: Daniel | 16 Feb 2006 22:58:06
SV Sleuth: i think it might be easier to understand that the screenshots came from a presentation if instead of reading "Here are some examples:" change it to "Here are some samples taken from the RSA conference presentation:"
..it might clear up the confusion for some readers..
Posted-by: Daniel | 16 Feb 2006 23:02:17
sorry for the triple-post.. but i just want to show that it wasnt just me that was confused about the screenshots..
check out the comments: http://digg.com/security/Things_you_don_t_want_Google_to_find_-_screenshots
Posted-by: Daniel | 16 Feb 2006 23:08:19
Great post, I wasn't aware of the remote desktop and router things you could do. Boy thats bad =(
Posted-by: Jesse | 16 Feb 2006 23:39:36
I love this google hack stuff, makes great fun one nothing else is going on.
Posted-by: Roomba | 17 Feb 2006 00:23:25
Hadn't considered looking at a site's robots.txt. Interesting article.
--
SouthBeachCasa
http://www.southbeachcasa.com
Posted-by: Derek Hampton | 17 Feb 2006 00:23:49
Hehe, great job collecting this
Posted-by: Ivan Minic | 17 Feb 2006 00:53:20
Uh, SS death records are public. Not a hack.
Posted-by: | 17 Feb 2006 10:09:56
How long before spammers start position themselves for the search queries in this article?
They already do position themselves for all kinds of MP3 queries :-(
Posted-by: David Kaspar | 17 Feb 2006 10:58:08
Was is checked whether Kurtz just fell into some honeypots ? This seems to be reasonable as this talk was very LONG after JOHNNY LONG was the first who introduced this topic. You can read all this stuff in his book. Quoting the ideas of a book is not a real hack.
Posted-by: karl | 17 Feb 2006 13:46:21
Great Article
Just goes to show that the weekest link in any security system is still human ;)
Posted-by: Big Ian | 17 Feb 2006 13:48:54
Heh very nice :P
Posted-by: dave | 18 Feb 2006 00:25:56
http://www.google.com.au/language_tools?hl=en
guys... check out this google's mistake... its funny..... see what u get in the end....
Try this...
1. Open google
2. click 'language tools' link.Google Link
3. Write "Aishwarya's mom is very nice" in 'Translate text:' textbox.
4. Select "English to Spanish" in the below combo.
5. Press Translate and wait for translation.
6. Now copy the translated text from the above text and paste it in
the 'Translate text:' textbox.
7. Select "Spanish to English" in the below combo.
8. Press Translate and wait for translation.
9. Enjoy
Posted-by: | 19 Feb 2006 00:53:11
it is scary, the word security does have any meaning this days ?
Posted-by: Alex | 19 Feb 2006 06:28:40
Scary, very scary.
Posted-by: George Hayduke | 19 Feb 2006 17:00:05
security is what is in your brain , the rest is data.
personal security is 9mm.
Posted-by: Hemaworstje | 21 Feb 2006 00:24:58
This is just the tip of the iceberg... you would believe all the email and stuff you can read. People are in need of a wake-up call to finally get serious about security... then again, there were plenty of warnings about 911 and look where that got us? Oh, well....
Posted-by: Cowicide | 21 Feb 2006 22:07:37
here you go. what you all been wanting to know. how its done why google and the other search engines are so hush and so excited.
check out the truth about webspiders. This might not be new for the advance surfer but how google got involved and became so huge is definitly not public knowledge. also why yahoo dumped google. where did amazon go with thier browser?
MSN is in a dilema but I have spoon fed them all that i gave google and yahoo. to name a few.
http://spaces.msn.com/spiderbotsownzuall/
my blog shows you the way. wanna compete against google? I have the key right there. Free. Google got greedy!
Posted-by: xspider2006 | 11 Mar 2006 08:53:24
Hello ! This is very [url=http://www.google.com/bb497]good[/url] site !!
Posted-by: WebMan | 15 Mar 2006 23:34:53
Another interesting search is for credit card numbers using the number range search.
Posted-by: Ann Nonymous | 25 Apr 2006 00:16:31
Yeah that would be very scary to know that someone can find out my credit card number on google.
Posted-by: Champ Bailey | 9 May 2006 20:18:52
Scarry!! its amazing what people reveal online!
Posted-by: hacker not cracker | 14 Jun 2006 07:59:13
shut up is that possible lol
Posted-by: amde | 27 Jan 2007 14:24:46
Search Hacker does this trick too, but can be used to find variety of file formats like wav, mp3, doc, cvs, wma, mpg, xls, zip, mid, mpeg, pdf, rar, avi, mov, txt and torrents. I tried Search Hacker and it works, but some results return errors. Can’t blame Search Hacker for that, just skip and try another result. http://www.searchhacker.com
Search Hacker has a sister site called Cam Hacker which can be used for searching unprotected live webcams. Search Hacker deservers to be in your bookmarks, however, if you are a hard working sucker, then you can try searching the hard way. http://www.camhacker.com
Posted-by: Vidal | 12 Apr 2007 12:18:55
Erease all google everything!
Posted-by: Brent Norvell | 21 Apr 2007 09:09:05
Hi
Ive been saying for quite a while that true hackers, arent the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing
Posted-by: Pioneer | 28 Sep 2007 23:04:58
Spanish
