Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
is that you can search for ranges of numbers like that in google. That's pretty neat.
Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.
Uselessful technology (Air-Charged
Very popular is the search for "Welcome to phpMyAdmin".
This will give you some nice databases to browse through.
Not getting just credit cards, but other nice little things.. New Order
Check out the cached version of the third link and look in the text box. Hopefully it's not any of you... google link
I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.
It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.
Is there anything we can advise these people to do to minimize the damage at this point?
Yea except these are the idiots that will also sue Google and try to take them down because of their own mistakes. If you're in some sort of struggle with an idiot, you'll be ok, but may God help you if that idiot has a halfway decent lawyer.
I am feeling fat and sassy
Not to troll, but "real security and ease of use"? That's a contradiction in terms. Any system thats easy to use is almost certainly easy to crack (hint, the crackers have as easy a time as the user). Any secure system usually requires long passwords, encryption keys or something equally challenging. If your users keep their passwords the same for all systems, or have accessable copies to remind them, then the system isn't secure (remember last week when Gabe Newall's forum accounts got hacked because he used the same friggin password and it was easy to guess?) /. crowd, consider adequate and easy to use is silly. What we need is internet education (the do's and do not's for the clueless).
If you mean security through obscurity then you're describing the current situation on the net, but the article states that Google is removing the obscurity aspect by making the entire net accessible. We no longer have any kind of assurance than a given nook or cranny is too obscure to bother with.
I agree that people shouldn't leave their personal data lying around, but to simply assume that the general public can adopt security measures that we, the
Erotic is when you use a feather. Exotic is when you use the whole chicken.
But Google provides a link to remove your number and address info. And it works.
Only some of us are fortunate enough to learn from other people's mistakes. The rest of us has to be the other people....
sigaar
Try out these searches on Google:
- users filetype:mdb
- admin filetype:mdb
- config filetype:inc
Lots and lots of people is reckless with their data.My <1000 UID is with a hot chick
I'll second that. A little over a month ago, a letter was sent to me but went missing in the post. That letter contained my full name, address and National Insurance number (similar to a US Social Security number).
That lost letter contains more information than I'd give out to anyone who's not an authorised government official (policeman, doctor, etc). Through no fault of my own, and despite my vigilance (I shred and burn every bit of correspondence that has my name and address on it, let alone financial or other personal details) that information is now potentially in the hands of someone unscrupulous.
If anything untoward were to happen, I have virtually no recourse, as it would be nigh on impossible to actually prove where my details were obtained and (as far as I know) it's impossible to get a new NI number: I'm stuck with the one that's issued to me at 16 until the day I die.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Another good one is searching for copywrite phrases found on front pages of eBooks such as O'Reilly CD Bookshelves. People seem to put up their eBooks for their own convenience. OTOH publishers seem to be doing a bit of Googling of their own, as they tend to be taken down pretty soon. Nothing that a quick WGET won't handle...
I'm sorry if I haven't offended anyone
On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.
I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.
-db
Don't forget "answer to life the universe and everything"
Try it!
-Aaron
I did that some weeks ago. Now, what would be the harm of that,
given one erases the browser history rather quick ?
Google stores all searches somewhere ?
It's also not stored. :P
Seems that everything, except the personal information posted by a third party, can be summed up by a simple common acronym: RTFM. Ignorance of the law isnt a defense -- neither should be not reading the manual.
Sometimes I wish computers were less friendly.
Perhaps this is an area where the likes of third-party merchant services such as 2checkout.com, Paysystems, and iBill can really shine. Ignoring the problems these specific merchant services have had, the model of passing the user to a secure page provided by a "trusted" company to enter credit card details could be a good marketing gimmick.
Let's say you're shopping at <insert your favorite pricewatch merchant here>. You're tempted to make a purchase because their price is so much lower that your usualy merchant of choice. Would you prefer to enter transaction details directly on their web site and trust them to store your information in a secure way, or would you prefer a system where you are passed to visa.com or citibank.com to enter the transaction details, which are never given to the merchant, just a check in the mail every 2-4 weeks?
Just like how web sites plug their SSL cert seals with a verification image and link ("Secured with Thawte 128-bit encrypted - click here to verify"), perhaps the site could advertise something like, "For your protection, we do not store your credit card information anywhere on our servers. You will be passed to a secure page at Citibank.com and your transaction details will not be viewable by anyone but you. Click here to verify our partnership with Citibank.com". Okay, that sounds lame, but you get the idea. To me, it's reassuring that my transaction is being handled by a company whose best interest is in avoiding fraud versus passing them to a1discount-computer-parts.biz or whatever to store them as cleartext in their MySQL database...
"Parent directory". That Google search is the most fun you can have with your clothes on.
The same problem actually exists with lots and lots of files...
Nice links. In the same vein, try variations of this:
"company confidential" filetype:ppt
When you have nothing left to burn you must set yourself on fire
One drawback was that this additional service came at an extra service charge of a few dollars per month (can't remember the exact amount). If anyone hears of an American bank doing this, either online or in California, please let me know. I've heard of American banks having a similar service for preauthorizing checks (via fax), but what I saw in France is taking it quite a step further.
for instance any page that does turn up (if any) will get the card number in the HTTP_REFERER URL.
But, given that they must already have your card number in order to turn up on the list, this isn't actually a problem.
Actually, at least here in Canada, the insurance companies have to cover you even if the keys are in the ignition--theft is theft. I know this because my father just went through getting his truck stolen after leaving the keys in the ignition.
:)
The insurance companies will try to bully you into thinking that they don't have to cover you, but they do. However if they can convince you that they don't have to and you just go away then they don't have to pay you. This is the usual course of action.
Luckily my father has a good insurance broker who knows the law and wouldn't let his client be bullied. Its astounding what insurance companies can get away with.
This of course after them pleading poor to the Canadian government only to report record profits a couple of months later. What's $2.6Billion among friends? Now that is in Canadian funds but it still works out to about $100US or so
I'd like to see more of that kind of thing, preferrably all of the following as options:
"Good everywhere all the time, with no control at all" just seems like a bad idea. But since banks either shit on the consumer or the merchant when it comes to fraud, they have little incentive to secure the system. When they pass the new bankruptcy bill in congress, even shoddy lending practices will be given a pass as well.
mpdsecret
Who would beleive that it would get this back ?
I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.
I once found some very interesting stuff using Google. Basically, it was all to do with the fact that customers of an online service (which my place of work used to use) were trying to use client-side scripting to do something that should have been done by server-side scripting; so their web sites were full of JavaScript (which some people still think is secure). The sites also necessarily linked to the central server, and were giving away information in cleartext that really was not meant for public consumption. Because there were these links to the central server script -- complete with the variable names and values in the query string -- on several pages on the clients' sites, Googlebot found them and indexed them. (THE PROPER WAY would have been to bury the variables which dealt with authentication in a local CGI script, which would then call the central CGI script. Authenticating to the local script is left as an exercise for the reader. At any rate, damage is inherently limited because the attacker does not gain the actual authentication tokens; only the chance to do whatever limited acts the site's programmer has chosen to allow.)
I am not saying any more. My boss told them what they had done, they know who we are and there could be repercussions. But anyway, I'll google for the same information again in a few months' time and see if it's there. If so, I might do a write-up. In my book, if you leave your valuables lying around where you know there are thieves, you deserve to be taught a lesson -- and you should be glad with knowing that your valuables are being taken care of by someone like me, rather than broken by some of the thugs out there.
For Visa, I did this one and got 2450 pages of listings of credit card numbers. Doing the same for Master Card returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express, where we can find a whopping 7,780 pages of listings!
I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?
My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.
Oh, I forgot to troll for Social Security Numbers. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers, and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!
Paul Robinson
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
In the United States, a lot of credit card companies are issuing single purchase numbers. I think a few of them allow you to set the amount available, than use the generated number to make the purchase. I think it's an excellent solution to online CC transactions, that doesn't require overhauling the whole transaction system.
... there's no cheating by just providing the number or anything like that. Can't really use it for online transactions, but it's not meant for that. Cashiers are usually pretty meticulous about checking your signature, so you have relatively good physical security.
... you use it for almost everything: rent, utilities, regular bills, paying your friends back, paying for things online, and just about anything except for general shopping.
...
I'm in Germany at the moment, and we have a pretty good system for transactions don't involve cash currency. Most people here don't use credit cards or cheques; they use bank issued debit cards, and bank transfers.
The debit card can only be used in person. You have to supply the card
There's a surprising number of bank transfers
For every bank transfer you make, you have to supply a transaction authorization number (TAN). When you open an account, you're given a sheet with a couple hundred of these numbers, and you have to use them in sequence. When you want more, you go to the bank, present a valid ID of somesort, and get another sheet.
It's a pretty good system, very convenient, but would require quite a bit of infrastructure changes in the US
I worry, now that it's on Slashdot, a certain Visa search will end up on Zeitgeist for sure!