QUESTION & ANSWER

The trouble with Google hacking techniques

By Bill Brenner, Senior News Writer 08 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

After our initial story on Google hacking, you emailed me with some disagreements. Talk about some of the points you disagreed on.
Ira Winkler: That you can use Google to gather a lot of information isn't new. Johnny Long wrote a book on the subject and George Kurtz has similarly done a lot of work on how you can look for proprietary information on the Internet. Examples like the use of Google Earth are also not new. Google Earth is not real-time satellite imagery that can provide intelligence data and the same information can be found through a variety of other services, besides the fact that building plans with much more detail are on file at public offices.

What really bothers me is that people are looking at something that has been well established for some time and saying 'Oh my God, I've never heard of this before,' which is really not saying too much about the industry as a whole when something like this makes a lot of news.

Ira Winkler

Isn't there an argument to be made that Google is still a relatively new phenomenon and that there are a lot of smart IT security professionals out there who aren't necessarily going to be privy to this particular problem?
Winkler: Google is in the dictionary now and is well-established. As far as how it can be used or not used, the fact that there are articles about it is in some ways a good thing, but in other ways it's shocking that there are people who don't know the history of information security who are now security practitioners. The thing is, when you don't know history you will repeat it.

What other threats besides Google hacking do you think security practitioners should already know about?
Winkler: I just read an advertisement from one company that all of the sudden, Word, Excel and PowerPoint can be used to deliver malicious code. Macro problems have been around and known for over a decade now. The thing is there are a lot of people coming in [to the IT security industry] and there must be some core base of knowledge they have to bring to the industry. I'm not saying articles like this don't help people know about it. The shocker is that this is noteworthy and there are people who don't know what's out there and they're theoretically part of the profession. It doesn't say a whole lot about the profession as a whole if something like this is new to them. If this is new to them they have to go back and take some basic courses and read more books on the subject before selling themselves as a security practitioner, in my opinion.

Some IT professionals say that if a company's sensitive information makes it into the public domain it's the IT practitioner's fault for not having a layered defense to prevent it from happening. What do you say to that?

Google hacking techniques: Hacker techniques use Google to unearth sensitive data: Those who know where to look could use Google to dig up all sorts of sensitive company information, including intellectual property and passwords, one security expert warns. Protect your business from a Google hack: Learn how to use advanced operators, special searching techniques offered by Google that enable advanced queries, to discover if your company's sensitive security information is exposed on the Internet before a black hat does. Podcast: Security Squad: Google hacking -- May 3, 2007 In the debut edition of SearchSecurity.com's Security Roundtable news-talk podcast, editors debate the growing concern about Apple security and whether Apple really cares about keeping its products secure, the emergence of Google hacking as an enterprise data security threat and the pros and cons of "dumbing down" the PCI Data Security Standard. Download MP3

Winkler: I say yes and no. Sometimes things happen accidentally and there's no such thing as perfect security. You'll always have some idiot somewhere who will leak out information and put something on a Web site or email because someone sounded nice on the phone. No matter what you do, someone will always do something dumb or accidentally. At the same time, that doesn't mean you don't go ahead and use a whole bunch of services already out there to look for just this sort of thing.

Talk about some of those services and whether you blame individuals or companies in general for not making sure everyone knows the security basics.
Winkler: There's a company called Cyveillance that's been in the business for more than a decade that has services to let companies search for their proprietary information on a regular basis. The reason something seems stupid is because it defies common sense. But to defy common sense you have to have common knowledge, and if companies aren't giving their people that common knowledge, like what can and can't be put on the Internet, it's not really the fault of the individual. It's the fault of the company, and very few companies have really good Web-posting policies.

Sound Off! -   Be the first to post a message to Sound Off!

Tags: Information Security Laws, Investigations and Ethics,  Emerging Information Security Threats,  Enterprise Data Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us