Our friend in Google...

Found this on another group today...

Via NY Transfer News Collective * All the News that Doesn't Fit

Reuters via Yahoo - Feb 13, 2005
http://story.news.yahoo.com/news?tmp...n_pluggedin_dc

PluggedIn: 'Google Hacking' Digs Up Sensitive Material

By Andy Sullivan

WASHINGTON (Reuters) - Hackers have found a handy tool to take control
of bank accounts, tap into corporate computer networks and dig up
sensitive government documents.

It's called Google.

The Internet's most popular search engine can find everything from
goldfish-care tips to old classmates in the blink of an eye, but it's
equally adept at finding caches of credit-card numbers and back doors
into protected databases.

Google Inc. and other search providers create an inventory of the World
Wide Web through an automated process that can uncover obscure Web pages
not meant for the public.

"If you don't want the world to see it, keep it off the Web," said
Johnny Long, a Computer Sciences Corp. researcher and author of "Google
Hacking for Penetration Testers."

Unlike other intrusion techniques, Google hacking doesn't require
special software or an extensive knowledge of computer code.

At a recent hackers' conference in Washington, Long demonstrated the
eye-opening results of dozens of well-crafted Google searches.

Using Google, identity thieves can easily find credit-card and
bank-account numbers, tax returns, and other personal information buried
in court documents, expense reports and school Web sites that contain
such information.

Google hackers can download Department of Homeland Security threat
assessments marked "For Official Use Only."

They can gain control of office printers, Internet phones and other
devices controlled through a Web interface -- including electrical power
systems.

"One Google query, a couple of buttons, you can actually turn off power
to their house," Long said.

Corporate spies can uncover passwords and user names needed to log on to
a corporate network, or find poorly configured computers that still use
default passwords.

A search for error messages can provide important clues for intruders as
well.

One particular Google feature allows users to pull up older versions of
a Web page. Such "cached" pages can turn up security holes even after
they've been fixed, or allow an intruder to scan a network without
leaving a footprint.

It's impossible to tell how often malevolent hackers use Google. But the
recent emergence of computer worms that spread using the search engine
suggests that Google hacking has been common practice for years, Long said.

"As soon as something gets to the worm phase, it's been in the manual
phase for quite some time," he said in an interview with Reuters.

Long said Google should not be blamed for the effectiveness of its
search engine, though he said the company could raise the alarm when it
notices suspicious activity.

"Google removes content from search results under very limited
circumstances," Google spokesman Steve Langdon said in an e-mail
message, citing pages that contain child pornography, credit-card
numbers and other personal information, or copyrighted material that is
used without permission.

Microsoft Corp.'s recent acquisition of several security firms
underlines the rising concern about online threats.

As awareness of Google hacking grows, security experts are boning up on
search techniques to make sure their systems aren't vulnerable.

Long's Web site (http://johnny.ihackstuff.com) has collected more than
1,000 Google searches that can uncover flaws, and free software programs
by Foundstone Inc. and SensePost can run those searches automatically.

Anybody with a Web site should Google themselves using a "site:" query
that lists every Web site they have available online, Long said.

"The most practical thing I can tell people is to be fully aware of what
their Google presence is. Companies and even individuals should be aware
of what they look like through Google," he said.

*
Search the NYTr Archives at:
http://olm.blythe-systems.com/pipermail/nytr/

To subscribe or unsubscribe or change your settings via the web, visit:
http://olm.blythe-systems.com/mailman/listinfo/nytr

================================================== ===============
NY Transfer News Collective * A Service of Blythe Systems
Since 1985 - Information for the Rest of Us
339 Lafayette St., New York, NY 10012
http://www.blythe.org e-mail:
================================================== ===============

--
Save photography - shoot a roll of film today!