security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Security Tip: Three Google searches you must know

 security.itworld.com 11/17/2006

Brent Huston, MicroSolved, Inc.

There are three simple yet powerful Google searches that can help attackers virtually "case" your organization as a target for data theft. Try them. They should give you a bird's eye view of your Internet presence and just what the simplest Google-powered attackers will notice at first glance.

Three key searches:
(xxx.com should be replaced with your site)

Search Results
Site:xxx.com Displays the systems under the domain known to Google and used by attackers to quickly identify hosts available to the Internet. Also quickly shows pages known to exist under the domain, allowing an attacker to quickly inventory the pages and structures, identify what technologies (HTML, Notes, ASP, PHP, etc.) are in use at the site. All of this information allows an attacker to focus their attacks.
Filetype:yyy site:xxx.com Used by attackers to isolate potentially confidential data offered by your site. If improperly configured, your site can sometimes make even intended-to-be-private files available. Replace yyy with common file types like: doc, xls, pdf, txt, rtf, ppt, etc. It is not uncommon to find very sensitive data this way from customer lists to marketing plans and often social engineering fodder such as phone books, email addresses, etc.
Link:xxx.com Reveals what sites are linking to your site. How is this helpful? Attackers can use it to find your business partners and others who might have special access through partner networks, firewall rules, VPNs, etc. **Bonus: Sometimes, you can use this to Google phishing and scam sites that may be linking to you to grab content and graphics!


Performing these quick searches has big payoffs. You'll find outright problems such as phishing sites, inadvertent information leaks and even information that might make a social engineering attack easier. Obviously, if you find anything that shouldn't be there, you should remove it from your sites - even if that means an internal political battle. Attackers' use of Google is boundless. New "Google hacks" and security-related searches continually circulate. The ones listed here don't even scratch the surface, but at least they give you a head's up to immediate problems.

For more information on other useful security-related Google hacks, check out: http://johnny.ihackstuff.com. This is really the Mecca of Google mining and hacking data, so use the knowledge carefully and appropriately.

On this topic
Notes on a trading scandal: What went wrong at Société Générale?
Security best practices: CIOs from IBM, Intel, and Symantec share their lessons learned
Securing the Online User Experience: Building User Confidence and Stopping Fraud
Five Security Mistakes to Avoid
Comparing Approaches for Desktop Software Lockdown
Identity Theft Primer
Software Security: Building Security In
Get practical tips, IT news, how-tos, and the best in tech humor.

 

 Brent Huston is president and CEO of MicroSolved Inc., a systems and network security-consulting service for Fortune 500 companies and government facilities. He has 15 years of professional experience in cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing and hacker techniques. He also served as co- author and technical editor of Hack Proofing Your E- Commerce Site.
Sponsored Links

Web Penetration & App Testing
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!
See how EASY REMOTE SUPPORT can be. Try WebEx FREE!
DELIVER SUPPORT MORE EFFICIENTLY. Remotely Control Applications. Leap Securely through Firewalls!
Protecting the Enterprise Network Through Web Security
New focus is being placed on securing Web-based threats.
Enterprise IP Goes Mobile
To maximize full productivity, companies must integrate their mobile applications with the IP network.
IMPROVE YOUR SUPPORT EFFICIENCY
WebEx lets you remotely control, configure and install applications and updates more efficiently.
» Buy a link now

Advertisements
Sponsored links
Locate Hidden Software on business PCs with this free tool
Top 5 Reasons to Combine App Performance and Security
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Policy and standards Best practices
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.