Google not 'hackers' best friend'

Internet users have become concerned that search engines may now be a hacker's best friend following the introduction of a 'file format' search option by Google.

Launched almost a month ago, the option allows users to search for specific file types, namely Word, Excel, PowerPoint, PDF, Postscript and Rich Text Format.

But a number of web reports and mailing list discussions have speculated recently that such options will help hackers track down sensitive files located on internet facing servers.

One such posting on a security newsgroup claimed that searching using the string 'Index of / +banques +filetype:xls' eventually turned up sensitive Excel spreadsheets from French banks. The same technique could also be used to find password files.

But Mark Read, network security analyst at MIS, said the concept was nothing new and that it has been possible to engineer search engines to look for such files for years.

"The sites that would come back in the results from such responses obviously don't care about security in the first place," he told vnunet.com. "In order for these pages to be indexed in the first place, the search engine spider needs to be able to find them, which it does through a link on a previous page."

"If somebody has hyperlinked to these pages/files, or somebody has allowed a directory to be listed therefore leaving a directory listing for a spider to follow, then they are just sending out an open invite," he added.

Google's own stance is that the search engine is indexing publicly available information which the company defines as "anything placed on the public internet and not blocked to search engines in any way".

Read said: "At the end of the day, though, if you're going to have sensitive info and unprotected admin scripts on your web root, relying purely on the 'nobody will ever find them' attitude, then you really should consider looking for another job not involving computers.

"A lot of people are starting to take security seriously, but there's still a lot of common sense security mistakes being made by some fairly large key players out there."