E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: The Age

Posted on February 19, 2004

      Sitting at his laptop, Chris O'Ferrell types a few words into the Google search engine and up pops a link to what appears to be a military document listing suspected Taliban and al-Qaeda members, dates of birth, places of birth, passport numbers and national identification numbers.

      Another search yields a spreadsheet of names and credit card numbers.

      "All search engines will get you this," O'Ferrell says, pointing to files he has found on the internet: medical records, bank account numbers, students' grades and the docking locations of 804 United States Navy ships, submarines and destroyers.

      And it is all legal, using the world's most powerful search engine.

      Cybersecurity experts say an increasing number of private or secret documents are being kept online in out-of-the-way corners of computers around the world, leaving governments, individuals and companies vulnerable to security breaches.

      At some sites and message groups, techno-hobbyists even offer instructions on how to find sensitive documents using a relatively simple search. Although it does not technically trespass, the practice is sometimes called "Google hacking".

      "There's a whole subculture that's doing this," says O'Ferrell, a long-time hacking expert and chief technology officer of security consultancy Netsec, based in Washington.

      In the decade they have been around, search engines such as Google have become more powerful. The web, too, has become a richer source of information as more businesses and government agencies rely on it to transmit and share information. All of this information is stored on servers, each linked to the internet.

      For many reasons - improperly configured servers, holes in security systems and human error - a wide assortment of material not intended for public viewing is publicly available. Once Google or another search engine finds it, it is nearly impossible to draw back into secrecy.

      This is giving rise to more activity from "Googledorks", who troll the net for confidential goods, security engineers say.

      "As far as the number of sites affected by this, it's in the tens of thousands," says

      Johnny Long, a researcher and developer for Computer Sciences Corporation and veteran hacker, who maintains a website that he says keeps him connected to the hacker community.

      He spoke about Google hacking at the Def Con hacker convention in Las Vegas mid last year, which has led to more awareness of vulnerabilities, he says.

      Google gets singled out for these searches because of its effectiveness.

      "The reason Google's good is that they give you more information and they give you more tools to search," O'Ferrell says.

      Its powerful computer "crawls" over every web page on the net at least every couple of weeks, which means surfing every public server on the globe, grabbing every page and every link attached to every page. Those results are then catalogued using complex mathematical systems.

      The most basic way to keep Google from reaching information in a web server, security experts say, is to set up a digital gatekeeper in the form of an instruction sheet for the search engine's crawler. That file, which is called robots.txt, defines what is open to the crawler and what is not. But if the robots.txt file is improperly configured or inadvertently left off, a hole is opened where Google gets in. And because Google's crawlers are legal, no alarms will go off.

      "The scariest thing is that this could be happening to the government and they may never know it was happening," Long says.

      "If there's a chink in the armor, (the hackers) will find it."

      Google and other search-engine officials say they are are not in a position to control the problem.

      With a vast system of more than 10,000 computer systems constantly collecting new information on more than three billion sites, the company cannot and does not want to police or censor what goes on the web, says Google's chief technology officer Craig Silverstein.

      "I think web masters have to be careful," he says. "The basic problem is that with three billion (websites), there's a lot of information out there."

      It offers a tool on its own site, "Webmaster guidelines", on how to remove sites from Google's system, including its vast store of cached pages that may no longer be available online, Silverstein says.

      For hacking experts, Google hacking has a kind of populist allure: anyone with internet access can do it if they know the right way to search.

      "It's the easiest point-and-click hacking - it's fun, it's new, quirky, and yet you can achieve powerful results," says Edward Skoudis, a security consultant for INS, which helps government and business clients monitor what is visible from the web. "This concept of using a search engine for hacking has been around for a while, but it's taken off in the last few months, probably because of a new-found enthusiasm in the underground hacking community."

      Search strings including "xls", or "cc", or "ssn" often brings up spreadsheets, credit-card numbers and social security numbers linked to a customer list. Adding the word "total" in searches often pulls up financial spreadsheets totalling dollar figures. An experienced hacker can find an alarming amount of supposedly private information.

      "On a (client's) bank site, I found an Excel spreadsheet with 10,000 social security and credit card numbers," Skoudis says.

      The bank's web server had been properly configured to keep such documents private, but someone had mistakenly put the information on the wrong side of the fence, he says. "Google found the open door and crawled in," Skoudis says.

      He confronted the "red-faced executives" and was told, "Just fix it, damn it."

      Google and other search-engine operators cannot gauge how frequently private documents are accessed using their sites or how many are removed for security reasons.

      "The challenge is that as the search-engine tool evolved, people got more lax about what they put on a publicly available web server," says Tom Wilde, vice-president and general manager of Terra Lycos' 19 search engines.

      He says "it would be impossible to monitor" the tens of millions of searches that take place each day and adds that he has never been notified of a security breach on his sites.

      It is unclear who is at fault when someone digs up a confidential document.

      "I don't know what law's been violated just for searching" on a publicly available search engine, says FBI spokesman Paul Bresson, noting the bureau has not yet taken action against people who have found secure documents using search engines. "If they use it for some sinister purpose, that's another issue."

      The availability of private information contributes to rising incidence of identity theft, which for the past four years has been the top consumer problem for the Federal Trade Commission. Last year it received nearly 215,000 complaints about identity theft, up from about 152,000 in 2002.

      But search engines are not the only threat to people's private information. In Australia, the Federal Privacy Commission investigated Melbourne online booking agency Ticketmaster7 - which allowed open access to customer details - for breaches to the Privacy Act. This was done by randomly altering the last four digits in their enquiry service's URL. Ticketmaster7 has since mended the problem but the Federal Privacy Commissioner, Malcolm Crompton, says the internet has been around long enough for companies to make their sites secure.

      "It's just unacceptable to say it's too hard to get it right because people are already getting it right. It's not on to be fast and loose with personal information," he says.

      The apparent accessability of personal information also raises the spectre of identity fraud for Australian net-users, even more so when the estimated cost of identity fraud to taxpayers is said to total $1.1 billion last year.

      Queensland University-based AusCERT, a non-profit computer security organisation, found in a survey of more than 200 organisations across the country that 42 per cent had experienced an attack on their IT networks that compromised the confidentiality, availability or integrity of their files. Its survey also revealed that Optus suffered a breach in 2001 resulting in the unauthorised copying of 425,000 usernames and passwords. The breach was eventually traced to a customer's home computer that had inadvertently allowed a hacker in.

      Once confidential pages are found, it is not easy to get them back under wraps.

      Even after a document has been pulled off a server, as was the case when MTV removed from its site a pre-Super Bowl press release promising "shocking moments" at the half-time show, documents often remain cached, or stored, in other search engines' computers so they can still be accessed.

      "Once it is placed online, it's very hard to get the digital horse back in the electronic barn," says Marc Rotenberg, executive director of the Electronic Privacy Information Centre. "It's close to impossible to get it back."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.