silicon-valley-sleuth

a blog from

Things you don't want Google to find

  • Tweet this

"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organisations to post those goodies online for anyone to find.

"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them," Kurtz said.

The ultimate online resource for Google hacking btw is this website. (update: due to high traffic, the site is currently (2/16/2006 11:52AM Pacific Time) down. Make sure you check it out at a later stage)

Here are some samples taken from the RSA conference presentation:

Img_2368

A search for Payrol.xls turned up a nice overview of employees and their hourly wages.

Img_2369

not very advanced, but still rather effective: "not for distribution" and "confidential"

Img_2373

So you removed that file with the password, but did you think about Google cache?

Img_2374

Yes, that's the management interface for a Netgear router that was found using Google. It still had the default login and password settings. What more do you want?

Img_2376

Search for sites with "Remote desktop web connection" in the title, and you'll find... remote desktops that you can take over. If the user sees you taking over, simply say that you're the system administrator working to bolster the user's security. Kurtz did that once during a security audit and it worked well.


Img_2379

Death records with a social security number. search for: ssn 111111111..999999999 death records

Img_2380

and more social security numbers, these were used by a university to identify their students. It's illegal to use social security numbers for that, but this school apparently didn't care.

 

Img_2383

Technically not a Google hack, but the robots.txt file will tell you which directories the website operator doesn't want you to see. Therefore it should be worth a look. This one is for the site of the whitehouse.gov

Img_2357
George Kurtz

Tags: rsa 2006, RSA conference, security, mcafee

15 Feb 2006

Do you agree?

Add your comment

<p>Hi<br /> Ive been saying for quite a while that true hackers, arent the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing</p>

Posted by: Pioneer 28 Sep 2007

<p>Erease all google everything!</p>

Posted by: Brent Norvell 21 Apr 2007

<p>Search Hacker does this trick too, but can be used to find variety of file formats like wav, mp3, doc, cvs, wma, mpg, xls, zip, mid, mpeg, pdf, rar, avi, mov, txt and torrents. I tried Search Hacker and it works, but some results return errors. Can’t blame Search Hacker for that, just skip and try another result. <a href="http://www.searchhacker.com"><a href="http://www.searchhacker.com">http://www.searchhacker.com</a></a></p> <p>Search Hacker has a sister site called Cam Hacker which can be used for searching unprotected live webcams. Search Hacker deservers to be in your bookmarks, however, if you are a hard working sucker, then you can try searching the hard way. <a href="http://www.camhacker.com"><a href="http://www.camhacker.com">http://www.camhacker.com</a></a></p>

Posted by: Vidal 12 Apr 2007

<p>shut up is that possible lol</p>

Posted by: amde 27 Jan 2007

<p>Scarry!! its amazing what people reveal online!</p>

Posted by: hacker not cracker 14 Jun 2006

<p>Yeah that would be very scary to know that someone can find out my credit card number on google.</p>

Posted by: Champ Bailey 09 May 2006

<p>Another interesting search is for credit card numbers using the number range search.</p>

Posted by: Ann Nonymous 25 Apr 2006

<p>Hello ! This is very [url=<a href="http://www.google.com/bb497]good[/url]"><a href="http://www.google.com/bb497]good[/url]">http://www.google.com/bb497]good[/url]</a></a> site !!</p>

Posted by: WebMan 15 Mar 2006

<p>here you go. what you all been wanting to know. how its done why google and the other search engines are so hush and so excited.</p> <p>check out the truth about webspiders. This might not be new for the advance surfer but how google got involved and became so huge is definitly not public knowledge. also why yahoo dumped google. where did amazon go with thier browser?</p> <p>MSN is in a dilema but I have spoon fed them all that i gave google and yahoo. to name a few.</p> <p></p> <p><a href="http://spaces.msn.com/spiderbotsownzuall/"><a href="http://spaces.msn.com/spiderbotsownzuall/">http://spaces.msn.com/spiderbotsownzuall/</a></a></p> <p>my blog shows you the way. wanna compete against google? I have the key right there. Free. Google got greedy!</p>

Posted by: xspider2006 11 Mar 2006

<p>This is just the tip of the iceberg... you would believe all the email and stuff you can read. People are in need of a wake-up call to finally get serious about security... then again, there were plenty of warnings about 911 and look where that got us? Oh, well....</p>

Posted by: Cowicide 21 Feb 2006

<p>security is what is in your brain , the rest is data.<br /> personal security is 9mm.</p>

Posted by: Hemaworstje 21 Feb 2006

<p>Scary, very scary.</p>

Posted by: George Hayduke 19 Feb 2006

<p>it is scary, the word security does have any meaning this days ?</p>

Posted by: Alex 19 Feb 2006

<p><a href="http://www.google.com.au/language_tools?hl=en"><a href="http://www.google.com.au/language_tools?hl=en">http://www.google.com.au/language_tools?hl=en</a></a></p> <p>guys... check out this google's mistake... its funny..... see what u get in the end....</p> <p>Try this...</p> <p>1. Open google<br /> 2. click 'language tools' link.Google Link <br /> 3. Write "Aishwarya's mom is very nice" in 'Translate text:' textbox.<br /> 4. Select "English to Spanish" in the below combo.<br /> 5. Press Translate and wait for translation.<br /> 6. Now copy the translated text from the above text and paste it in<br /> the 'Translate text:' textbox.<br /> 7. Select "Spanish to English" in the below combo.<br /> 8. Press Translate and wait for translation.<br /> 9. Enjoy</p>

Posted by: Anonymous 19 Feb 2006

<p>Heh very nice :P</p>

Posted by: dave 18 Feb 2006

<p>Great Article</p> <p>Just goes to show that the weekest link in any security system is still human ;)</p>

Posted by: Big Ian 17 Feb 2006

<p>Was is checked whether Kurtz just fell into some honeypots ? This seems to be reasonable as this talk was very LONG after JOHNNY LONG was the first who introduced this topic. You can read all this stuff in his book. Quoting the ideas of a book is not a real hack.</p>

Posted by: karl 17 Feb 2006

<p>How long before spammers start position themselves for the search queries in this article?</p> <p>They already do position themselves for all kinds of MP3 queries :-(</p>

Posted by: David Kaspar 17 Feb 2006

<p>Uh, SS death records are public. Not a hack.</p>

Posted by: Anonymous 17 Feb 2006

<p>Hehe, great job collecting this</p>

Posted by: Ivan Minic 17 Feb 2006

<p>Hadn't considered looking at a site's robots.txt. Interesting article.</p> <p>--<br /> SouthBeachCasa<br /> <a href="http://www.southbeachcasa.com"><a href="http://www.southbeachcasa.com">http://www.southbeachcasa.com</a></a></p>

Posted by: Derek Hampton 17 Feb 2006

<p>I love this google hack stuff, makes great fun one nothing else is going on.</p>

Posted by: Roomba 17 Feb 2006

<p>Great post, I wasn't aware of the remote desktop and router things you could do. Boy thats bad =(</p>

Posted by: Jesse 16 Feb 2006

<p>sorry for the triple-post.. but i just want to show that it wasnt just me that was confused about the screenshots..</p> <p>check out the comments: <a href="http://digg.com/security/Things_you_don_t_want_Google_to_find_-_screenshots"><a href="http://digg.com/security/Things_you_don_t_want_Google_to_find_-_screenshots">http://digg.com/security/Things_you_don_t_want_Google_to_find_-_screenshots</a></a></p>

Posted by: Daniel 16 Feb 2006

<p>SV Sleuth: i think it might be easier to understand that the screenshots came from a presentation if instead of reading "Here are some examples:" change it to "Here are some samples taken from the RSA conference presentation:"</p> <p>..it might clear up the confusion for some readers..</p>

Posted by: Daniel 16 Feb 2006

<p>My mistake, sorry.. i didnt realize that this was a presentation, obviously i didnt read the article closely enough. ..and now i look like an idiot..</p> <p>but anyway, it was a very interesting news post, thanks for sharing</p>

Posted by: Daniel 16 Feb 2006

<p>Thats pretty interesting, i didn't know it was that easy to hack into stuff</p>

Posted by: Gage Black 16 Feb 2006

<p>wow thats pretty scarry</p>

Posted by: The Information Bank 16 Feb 2006

<p>@Big Dog and others, I think the author already made clear that it was a presentation and what you see are photos taken during the presentation itself. I doubt one can just walk to the front, plug in a USB memory stick, and start pressing Alt+PrintScrn...</p>

Posted by: John Bokma 16 Feb 2006

<p>Did you know that you can hit Alt+PrintScrn to take snap shots of what is on your computer screen? It beats pulling out a camera and transferring files.</p> <p>Just a heads up!</p>

Posted by: Big Dog 16 Feb 2006

<p>Probably old news, but it's amazing what kind of cams are open to the public. See: <a href="http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html"><a href="http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html">http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html</a></a> for more info.</p>

Posted by: John Bokma 16 Feb 2006

<p>What are you talking about Daniel? They are pictures of a live presentation. You know, like powerpoint...on a big screen...using a projector. Think before you flame.</p>

Posted by: jbro 16 Feb 2006

<p>Daniel-<br /> Wow, technology has really advanced quite a bit that you can capture a screenshot of an image from a projector by pressing 'Print Screen'. I keep trying that, but I just get a screenshot of my own PC. Are you using Vista or something?</p>

Posted by: RJ 16 Feb 2006

<p>looks like it's picts from a presentation, thanks though.</p>

Posted by: John 16 Feb 2006

<p>RE: Daniel: <br /> These are photos of slides with that were shown at the RSA Conference in San Jose this week. Not pictures of my monitor.</p>

Posted by: SV Sleuth 16 Feb 2006

<p>holy hell.. as i read through this article all i could think was "wow, looks like someone doesn't know how to take screenshots.."</p> <p>dont use a camera to take screenshots, use software on the computer or simply "print screen" on your keyboard!</p>

Posted by: Daniel 16 Feb 2006

<p>Ok, that's just scary.<br /> I think I'll go through my server's files again.</p>

Posted by: daedal 16 Feb 2006

<p>Re: Ben: </p> <p>You're right. just added the link to the post's body.</p>

Posted by: SV Sleuth 16 Feb 2006

<p>I think this one should have been mentioned ..</p> <p><a href="http://johnny.ihackstuff.com/index.php?module=prodreviews"><a href="http://johnny.ihackstuff.com/index.php?module=prodreviews">http://johnny.ihackstuff.com/index.php?module=prodreviews</a></a></p>

Posted by: Ben 16 Feb 2006

Add your comment
 

Add your comment

We won't publish your address
By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.
Submit your comment
To send to more than one email address, simply separate each address with a comma.