Google Hacking Against Privacy

21
Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin ˙ Islam Tatlı [email protected] Department of Computer Science, University of Mannheim (on leave to the University of Weimar) Fidis Third International Summer School Karlstad-Sweden, 6-10 August 2007 Emin ˙ Islam Tatlı (University of Mannheim) Google Hacking against Privacy

TAGS:

description

Using google search engine to find sensitive data

Transcript of Google Hacking Against Privacy

Page 1: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Google Hacking against Privacy

Emin Islam Tatlı[email protected]

Department of Computer Science, University of Mannheim(on leave to the University of Weimar)

Fidis Third International Summer School Karlstad-Sweden,6-10 August 2007

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 2: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Outline

1 Google Hacking

2 Privacy SearchesIdentification DataSensitive DataConfidential DataSecret Data

3 Countermeasures

4 Future Work

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 3: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Motivation

Google has the index size over 20 billion entries

try to search -"fgkdfgjisdfgjsiod"

Hackers use google to search vulnerabilities

called Google Hackingvulnerable servers, files and applications, files containingusernames-passwords, sensitive directories, online devices, etc.Google Hacking Database [1] ⇒ 1423 entries in 14 groups (byJuly 2007)

What about Private Data?

In this talk, we find out many private data with google

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 4: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Advanced Search Parameters

[all]inurl

[all]intext

[all]intitle

site

ext, filetype

symbols: - . * |

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 5: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Examples of Google Hacking I

Unauthenticated programs

"PHP Version" intitle:phpinfo inurl:info.php

Applications containing SQL injection & path modificationvulnerabilities

"advanced guestbook * powered" inurl:addentry.php

intitle:"View Img" inurl:viewimg.php

Security Scanner Reports

"Assessment Report" "nessus" filetype:pdf

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 6: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Examples of Google Hacking II

Database applications&error files

"Welcome to phpmyadmin ***" "running on * asroot@*" intitle:phpmyadmin

"mysql error with query"

Online Devices

inurl:"hp/device/this.LCDispatcher"

intitle:liveapplet inurl:LvAppl

"Please wait....." intitle:"SWW link"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 7: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Privacy Searches

1 Identification Data

2 Sensitive Data

3 Confidential Data

4 Secret Data

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 8: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Identification Data I

Data related to the personal identity of Users

Name, address, phone, etc.

allintext:name email phone address intext:"thomasfischer" ext:pdf

Twiki inurl:"view/Main" "thomas fischer"

Curriculum Vitae

intitle:CV OR intitle:Lebenslauf "thomas fischer"

intitle:CV OR intitle:Lebenslauf ext:pdf ORext:doc

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 9: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Identification Data II

Usernames

intitle:"Usage Statistics for" intext:"TotalUnique Usernames"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 10: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Sensitive Data I

Data which is normally public but whose reveal may disturb itsowner

Postings in Forums and Mailinglists

inurl:"search.php?search author=thomas"

inurl:pipermail "thomas fischer"

Sensitive Directories

intitle:"index of" inurl:"backup"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 11: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Sensitive Data II

Web 2.0

"thomas fischer" site:blogspot.com

"thomas" site:flickr.com

"thomas" site:youtube.com

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 12: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Confidential Data I

Data that is expected to stay confidential against unauthorizedaccess

Chat Logs

"session start" "session ident" thomas ext:txt

Private Emails

"index of" inbox.dbx

"To parent directory" inurl:"Identities"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 13: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Confidential Data II

Confidential Directories and Files

"index of" (private | secure | geheim | gizli)

"robots.txt" "User-agent" ext:txt

"This document is private | confidential |secret" ext:doc | ext:pdf | ext:xls

intitle:"index of" "jpg | png | bmp"inurl:personal | inurl:private

Online Webcams

intitle:"Live View / - AXIS" |inurl:view/view.shtml

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 14: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Secret Data I

Non-public Data

Usernames and Passwords

"create table" "insert into""pass|passwd|password"(ext:sql|ext:dump|ext:dmp|ext:txt)

"your password * is" (ext:csv | ext:doc |ext:txt)

Secret Keys

"index of" slave datatrans OR from master

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 15: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Secret Data II

Private Keys

"BEGIN (DSA|RSA)" ext:key

"index of" "secring.gpg"

Encrypted Messages

-"public|pubring|pubkeysignature|pgp|and|or|release"ext:gpg

-intext:"and" (ext:enc | ext:axx)

"ciphervalue" ext:xml

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 16: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Privacy Countermeasures I

User-self protection

Do not make any sensitive data like documents containing youraddress, phone numbers, backup directories, secret data likepasswords, private emails, etc. online accessible to the public.Provide only required amount of personal information for theWiki-similar systems.Use more pseudonyms over InternetConsidering forum postings and group mails, try to stayanonymous for certain email contentsDo not let private media get shared over Web2.0 servicesActivate authentication mechanisms for your online devices

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 17: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Privacy Countermeasures II

System-wide protection

Use automatic tools to check your system (e.g. gooscan,sitedigger, goolink)

Use Robot Exclusion Standart (robots.txt)

Be aware of database backups containing usernames andpasswords

Install and manage Google Honeypot [2]

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 18: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Sitedigger [4]

free from Foundstonecompany

supports both GHD andFoundstone’s own hackingdatabase

for a given host, all entries inthe database are queried

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 19: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Future Work

We are implementing the tool for automatic searches of privatedata via Google

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 20: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Conclusion

Search engines index our private data and make public

User privacy is in danger

We need to take the required privacy countermeasures andprotect our privacy

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 21: Google Hacking Against Privacy

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

References

Google Hacking Database. http://johnny.ihackstuff.com

Google Hack Honeypot Project. http://ghh.sourceforge.net

Goolink- Security Scanner.www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/

SiteDigger v2.0 - Information Gathering Tool.http://www.foundstone.com

Gooscan - Google Security Scanner.http://johnny.ihackstuff.com

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy


Google Hacking and Personal Data Privacy

Google Hacking and Personal Data Privacy

Google Suthe-eye.eu/public/Site-Dumps/index-of/index-of.co.uk/Google/Liste-Google-Hacking.pdfListe-Google-Hacking V.2.1: -----: Google Suchbegriffe für Google Hacking: Boris Koch

Google Suthe-eye.eu/public/Site-Dumps/index-of/index-of.co.uk/Google/Liste-Google-Hacking.pdfListe-Google-Hacking V.2.1: -----: Google Suchbegriffe für Google Hacking: Boris Koch

Beyond Google Hacking

Beyond Google Hacking

Ethical Hacking and Countermeasures- Version 9 Technology -Ethical Hacking and Countermeasures- Version 9 ... Satellite Picture of a Residence K. ... Google Hacking Tool: Google Hacking

Ethical Hacking and Countermeasures- Version 9 Technology -Ethical Hacking and Countermeasures- Version 9 ... Satellite Picture of a Residence K. ... Google Hacking Tool: Google Hacking

Google Hacking Gs1004

Google Hacking Gs1004

Google Hacking - Part 1

Google Hacking - Part 1

Google Hacking: Convergence of Google and Bots

Google Hacking: Convergence of Google and Bots

Google Hacking for Cryptographic Secrets

Google Hacking for Cryptographic Secrets

GOOGLE HACKING - index-of.co.ukindex-of.co.uk/Google/Krishna_GOOGLE HACKING.pdf · - System email id lists - Medical records ... (Google Hack Honeypot, ... “ Google Hacking” ,

GOOGLE HACKING - index-of.co.ukindex-of.co.uk/Google/Krishna_GOOGLE HACKING.pdf · - System email id lists - Medical records ... (Google Hack Honeypot, ... “ Google Hacking” ,

Hacking Google AdWords

Hacking Google AdWords

Google Hacking Buscadores

Google Hacking Buscadores

Google Hacking - Dr.Ali Jahangirialijahangiri.org/wp/wp-content/uploads/2012/01/Google-Hacking-by... · Google Hacking Ali Jahangiri ... Google hack, hacking techniques, attack, ethical

Google Hacking - Dr.Ali Jahangirialijahangiri.org/wp/wp-content/uploads/2012/01/Google-Hacking-by... · Google Hacking Ali Jahangiri ... Google hack, hacking techniques, attack, ethical

Google Hacking Master List

Google Hacking Master List

Google Hacking - The Basics

Google Hacking - The Basics

Google Hacking against Privacy - Karlstad University · called Google Hacking vulnerable servers, files and applications, files containing usernames-passwords, sensitive directories,

Google Hacking against Privacy - Karlstad University · called Google Hacking vulnerable servers, files and applications, files containing usernames-passwords, sensitive directories,

Webinar Gratuito "Google Hacking"

Webinar Gratuito "Google Hacking"

Google hacking 1

Google hacking 1

Google Hacking Basic

Google Hacking Basic

Tracking Dog – A Privacy Tool Against Google Hacking · - erstes penetration testing tool für Google Hacking im Sektor Kryptographie - erstes zweisprachiges Programm (deutsch/englisch)

Tracking Dog – A Privacy Tool Against Google Hacking · - erstes penetration testing tool für Google Hacking im Sektor Kryptographie - erstes zweisprachiges Programm (deutsch/englisch)

Google Hacking Without Faces

Google Hacking Without Faces