QUESTION & ANSWER

The trouble with Google hacking techniques

By Bill Brenner, Senior News Writer 08 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

After our initial story on Google hacking, you emailed me with some disagreements. Talk about some of the points you disagreed on.
Ira Winkler: That you can use Google to gather a lot of information isn't new. Johnny Long wrote a book on the subject and George Kurtz has similarly done a lot of work on how you can look for proprietary information on the Internet. Examples like the use of Google Earth are also not new. Google Earth is not real-time satellite imagery that can provide intelligence data and the same information can be found through a variety of other services, besides the fact that building plans with much more detail are on file at public offices.

What really bothers me is that people are looking at something that has been well established for some time and saying 'Oh my God, I've never heard of this before,' which is really not saying too much about the industry as a whole when something like this makes a lot of news.

Ira Winkler

Isn't there an argument to be made that Google is still a relatively new phenomenon and that there are a lot of smart IT security professionals out there who aren't necessarily going to be privy to this particular problem?
Winkler: Google is in the dictionary now and is well-established. As far as how it can be used or not used, the fact that there are articles about it is in some ways a good thing, but in other ways it's shocking that there are people who don't know the history of information security who are now security practitioners. The thing is, when you don't know history you will repeat it.

What other threats besides Google hacking do you think security practitioners should already know about?
Winkler: I just read an advertisement from one company that all of the sudden, Word, Excel and PowerPoint can be used to deliver malicious code. Macro problems have been around and known for over a decade now. The thing is there are a lot of people coming in [to the IT security industry] and there must be some core base of knowledge they have to bring to the industry. I'm not saying articles like this don't help people know about it. The shocker is that this is noteworthy and there are people who don't know what's out there and they're theoretically part of the profession. It doesn't say a whole lot about the profession as a whole if something like this is new to them. If this is new to them they have to go back and take some basic courses and read more books on the subject before selling themselves as a security practitioner, in my opinion.

Some IT professionals say that if a company's sensitive information makes it into the public domain it's the IT practitioner's fault for not having a layered defense to prevent it from happening. What do you say to that?

Google hacking techniques: Hacker techniques use Google to unearth sensitive data: Those who know where to look could use Google to dig up all sorts of sensitive company information, including intellectual property and passwords, one security expert warns. Protect your business from a Google hack: Learn how to use advanced operators, special searching techniques offered by Google that enable advanced queries, to discover if your company's sensitive security information is exposed on the Internet before a black hat does. Podcast: Security Squad: Google hacking -- May 3, 2007 In the debut edition of SearchSecurity.com's Security Roundtable news-talk podcast, editors debate the growing concern about Apple security and whether Apple really cares about keeping its products secure, the emergence of Google hacking as an enterprise data security threat and the pros and cons of "dumbing down" the PCI Data Security Standard. Download MP3

Winkler: I say yes and no. Sometimes things happen accidentally and there's no such thing as perfect security. You'll always have some idiot somewhere who will leak out information and put something on a Web site or email because someone sounded nice on the phone. No matter what you do, someone will always do something dumb or accidentally. At the same time, that doesn't mean you don't go ahead and use a whole bunch of services already out there to look for just this sort of thing.

Talk about some of those services and whether you blame individuals or companies in general for not making sure everyone knows the security basics.
Winkler: There's a company called Cyveillance that's been in the business for more than a decade that has services to let companies search for their proprietary information on a regular basis. The reason something seems stupid is because it defies common sense. But to defy common sense you have to have common knowledge, and if companies aren't giving their people that common knowledge, like what can and can't be put on the Internet, it's not really the fault of the individual. It's the fault of the company, and very few companies have really good Web-posting policies.

Tags: Information Security Laws, Investigations and Ethics,  Emerging Information Security Threats,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary