Securing one’s server is a waste of time if someone leaves a spreadsheet full of usernames and passwords where it can be found with a public search.
“Secrets are cool. Secrets are the root of cool.”
— Hubertus Bigend clues in Hollis Henry, in William Gibson’s “Spook Country”
They call it Google Hacking, and it means being able to find secret stuff with the help of a well-crafted query fed to Google, for which the search engine dutifully spits back some immensely interesting results.
We have seen this numerous times. Searching for controllable webcams and songs comes to mind right away. The Royal Pingdom blog says it isn’t a good idea to let Google have your secrets, though.
“You want Google to index your site and make you visible and searchable,” said Pingdom, an uptime monitoring firm. “Google can also index more sensitive information that was never meant to be public, and can therefore be a useful tool for hackers if they want to probe your site for vulnerabilities.”
Online crimes mirror offline crimes, in that criminals look for the easiest way into a place. We’ve heard most burglaries happen where the criminals come in the front door.
Leaving username/password files, even if they are encrypted, available for public search isn’t much better than putting a key under the doormat and hoping for the best. People who do this, in the view of the Google Hacking Database, are “googledorks, inept or foolish people as revealed by Google.”
Google fights back by looking for queries that match patterns made by searches from automated scripts. Some Google hacks may slam into a message from the search engine, saying the query can’t be processed.
Pingdom made some suggestions that a prudent webmaster should already have performed, like keeping sensitive data off the server when possible, and setting access rights appropriately. As the saying goes, an ounce of prevention is worth a pound of cure.
