Why you should Google yourself -- and often

Within a few short years, Google has become the search engine of choice for most of us. In fact, to google is becoming an accepted English verb; it even appears in William Gibson's latest best-selling novel, Pattern Recognition. So of course there was standing room only at a recent talk about how Google helps online criminals. At this year's Black Hat Briefings USA and again a few days later at DefCon 12, security researcher Johnny Long demonstrated Google hacking, or how to find anything exploitable, such as vulnerable computer systems and even stolen credit card numbers, using Google.

These exploits aren't Google's fault. Instead, we can blame companies, agencies, and even well-meaning individuals who haven't yet grasped the privacy issues created by a good search engine. First of all, most of Johnny Long's search tips are posted on the Google features page. Criminal hackers (crackers) also know about Google's many search capabilities.

Go hack yourself
To see what the Internet knows about you, start by going to the Google site or by using the Google toolbar. Next, either type your name in quotations or, for a more refined search, type intext: (intext with a colon) immediately followed by your name in quotes. Now type your address or phone number, and Google may turn up a church or a social group directory listing. If this doesn't surprise or outrage you, type into Google your social security number or credit card numbers.

Many schools and universities still use social security numbers as identifiers for online directories, so that, for example, you can look up your grades via the Internet. But if they don't properly protect this information, a criminal may be able to use Google to link your name with your social security number. And even if the university in question uses only the last four digits of a social security number, you're still in trouble. If a criminal also knows a person's place of birth or city of social security registration, the first five digits can be guessed, but that's material for a separate column.

Civic duty
In some cases, the law requires posting sensitive information online. In the Black Hat demonstration, Long showed lists of social security numbers as a means for identifying delinquent taxpayers within a specific community. In another example, one city's online expense reports revealed that city's credit card number, which was used to pay for specific line items in the budget. (Typing the query filetype:xls and some word in Google will find a variety of Excel files posted to the Web.)

Crackers can also find credit card numbers and social security numbers within court documents. Most of Long's Black Hat examples were of credit fraud exploits. Long showed various posts to public sites that contained credit card info in naïve attempts to order products or to make good on a warranty for a defective product. Such carelessness sent shockwaves through the room crowded with security researchers. Remember: e-mail and newsgroup posts are not secure venues for volunteering your credit card information.

Businesses, too
Crackers frequently use social engineering in addition to a computer to attack large corporations. Sometimes, even seemingly innocent documents, such as those without credit card or social security numbers, help. A company's downloadable stockholder report, for example, could reveal corporate interdependencies allowing a cracker to pose as a third-party employee seeking a password for an internal project.

Another query, intitle:, can reveal site error messages, often providing useful information regarding platform and software version number. The query site: followed by a common domain will reveal all of the sites associated with that domain. And the query inurl: can reveal passwords. If you're a cracker looking to map a corporate network, these queries may do the job for you.

And it gets even worse
Long presented yet another example in which someone connected a new IIS server to the Web without changing its default security settings. How does he know this happened? The query allintitle:"Welcome to Internet Information Server" will find recently installed IIS servers that haven't been configured beyond the default settings. In fact, Long presented evidence of several careless parties and noted that anyone looking to break into servers behind corporate firewalls can take advantage of known IIS defaults to gain internal access.

Google hacking is yet another example of convenient technology getting the better of us. Instead of taking Google for granted, we need to remember that criminals get the same easy access to information we get from a capable and quick search engine.

Companies should Google their own Web sites on a regular basis and identify any information that shouldn't be public. And never put anything personal, such as your social security number on a resume, on the Internet, not even temporarily. Once it's snagged by a search engine, this personal information can live online long after you've removed the data.

Should you find any of your personal data on a Web site you don't control, I recommend asking the site owners to remove that information. Do you really want the church bake sale to reveal your name and home phone number to the world? And if you find such information on a cached Web page (a page that has been taken off a live site but still exists within Google), consult this page for more details.

For more about Google hacking, go to Johnny Long's site.

Have you Googled yourself lately? If so, were you surprised at what you found? Have your say below.