Google-Fu and Security – Be Careful What You Search For

My wife says I’m great at searching the Web. I can find anything, she says. Well, I’m not sure I agree, but I have found a lot of fun stuff on the web by learning about searching, especially google tools. My friend and the co-author of this blog Bob Cromwell has turned me on to some of those techniques.

Recently Ars Technica reported on a US Government warning about information available through google searches. The techniques are well documented at google.com and other sites; all one has to do is know what to look for. Here are a few of the “sophisticated” tools one can use on google:

  • intext: it makes google look for that word in the text of a page. intext:chocolate makes sure the word chocolate is in the text of the page
  • intitle: looks for the word in the title. intitle: recipe looks for pages with recipe in the title
  • site: looks only on a specified site. site:learningtree.com looks on the site of your favorite instructor-led virtual and live training company
  • filetype: looks for files of a particular type: xls, pdf, almost anything

So, how might someone use these to find something interesting? Well Watchthiscam.com blog shows how to find webcams this way.

Bob’s site has some good examples.

It is also fun to see what people have as spreadsheets. Try searching for

passwords filetype:xls

But be wary of clicking on any files that might have executable code! You could also get creative and look for “SSN” often used for “Social Security Number” and so forth. The sheer universe of opportunities, and the lack of security at many sites combined with the (hopefully unintentional) sharing of files that should be kept confidential, is probably what lead the FBI and DHS to warn about the dangers of these searches.

These searches are sometimes called “dorks”. Here is a site with lots of them: http://www.exploit-db.com/google-dorks/

The point is that there is a lot of stuff shared on the web that shouldn’t be. You might try googling for stuff you think you’re not sharing. You should also try these dork searches on your organizations sites. Hopefully you won’t find anything, of course…

It is beyond question that there is a lot of information out there that shouldn’t be. Confidentiality is an important pillar of security, but people have to know that by default some things are made public. Unless someone tells them to check, they are unlikely to do so. Participants in Learning Tree Course 468, System and Network Security Introduction know this, and I suggest you take the course to learn more about information leakage and confidentiality.

What interesting stuff have you found on the web?

To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.