[ insider_reports_insider ]
Can Bad Guys Google Your Passwords?
David Utter
Staff Writer
2006-03-31
 Insider Reports RSS Feed
An article discussing the use of various operators for advanced searches on Google revealed just how effective they can be in malicious hands.
 | | Can Bad Guys Google Your Passwords? |  |
SecurityFocus.com writer Scott Granneman called Google "the most dangerous Web site on the Internet for many, many thousands of individuals and organizations."
"In the same way that Google can be used for good, though, it can also be used by malevolent individuals to root out vulnerabilities, discover passwords and other sensitive data, and in general find out way more about systems than they need to know," he said in his latest article.
The examples Granneman illustrates go beyond the mostly-harmless Googling for open webcams or image file directories sitting on web servers with poorly configured access properties. By using a combination of the intitle operator in a query "intitle:"index of" site:edu password", Google returns about 12,600 results.
Granneman said most of the results retrieved this way would likely be useless. A few could be very valuable, just begging for someone to hit them with a brute-force password cracking tool to open up their secrets.
Even more interesting, and potentially of far greater interest to casual Googlites, is the filetype operator. This lets the user set the type of file to search for in a query. Granneman illustrated this with an example of searching for files named "budget" with the filetype set to .xls, the extension for the most widely used spreadsheet program in the world, Microsoft Excel.
Another possible option would be to search for PowerPoint files, with their .ppt extensions. Putting aside the obvious Dilbert jokes about discovering your competitor's presentations about using synergies to shift paradigms, businesses and government agencies love PowerPoint files.
Considering how poorly government agencies did when graded on their cyber-security, maybe people should be more concerned. Having a hostile, or even a friendly government, retrieve military strategies for scenarios like an attack on oil rigs in the Gulf of Mexico probably isn't in our country's best interests.
Granneman cited Microsoft's website development tool FrontPage as another potential avenue for disaster, considering its ease of use for the non-techie crowd:
FrontPage is touted by Microsoft as an extremely simple-to-use Web publishing solution that enables users to "move files easily between local and remote locations and publish in both directions". Unfortunately for those average Joes who buy into the hype, FrontPage is still a very complicated program that can easily expose passwords and other sensitive data if it is not administered correctly. Don't believe me? Just search Google for " _vti_pvt password intitle:index.of" and take a look at what you find.
FrontPage is not the only offender, but it is certainly an easy one to find in abundance on our favorite search engine.
Can bad guys Google your passwords today?
---
Tags: password, security
Add to | DiggThis | Yahoo! My Web
Get all the updates in RSS: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
