Security Tip: Three Google searches you must know
There are three simple yet powerful Google searches that can help attackers virtually "case" your organization as a target for data theft. Try them. They should give you a bird's eye view of your Internet presence and just what the simplest Google-powered attackers will notice at first glance.
Three key searches:
(xxx.com should be replaced with your site)
| Search | Results |
| Site:xxx.com | Displays the systems under the domain known to Google and used by attackers to quickly identify hosts available to the Internet. Also quickly shows pages known to exist under the domain, allowing an attacker to quickly inventory the pages and structures, identify what technologies (HTML, Notes, ASP, PHP, etc.) are in use at the site. All of this information allows an attacker to focus their attacks. |
| Filetype:yyy site:xxx.com | Used by attackers to isolate potentially confidential data offered by your site. If improperly configured, your site can sometimes make even intended-to-be-private files available. Replace yyy with common file types like: doc, xls, pdf, txt, rtf, ppt, etc. It is not uncommon to find very sensitive data this way from customer lists to marketing plans and often social engineering fodder such as phone books, email addresses, etc. |
| Link:xxx.com | Reveals what sites are linking to your site. How is this helpful? Attackers can use it to find your business partners and others who might have special access through partner networks, firewall rules, VPNs, etc. **Bonus: Sometimes, you can use this to Google phishing and scam sites that may be linking to you to grab content and graphics! |
Performing these quick searches has big payoffs. You'll find outright problems such as phishing sites, inadvertent information leaks and even information that might make a social engineering attack easier. Obviously, if you find anything that shouldn't be there, you should remove it from your sites - even if that means an internal political battle. Attackers' use of Google is boundless. New "Google hacks" and security-related searches continually circulate. The ones listed here don't even scratch the surface, but at least they give you a head's up to immediate problems.
For more information on other useful security-related Google hacks, check out: http://johnny.ihackstuff.com. This is really the Mecca of Google mining and hacking data, so use the knowledge carefully and appropriately.
MicroSolved, Inc.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
