Slashdot Mirror

← Back to Stories (view on slashdot.org)

Searching For Trouble With Google

Posted by timothy on from the dirty-deeds-done-dirt-cheap dept.

achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."

29 of 506 comments (clear)

  1. this was on cryptome by jabella · · Score: 5, Informative

    This was on bugtraq a week or two ago:

    Check it out and there was a discussion of it a few days later.

    Someone actually has a whole forum dedicated to finding things you can do with google here.

    Apparently this was even a DEFCON speech subject.

  2. I blame the Google Toolbar for a lot of this by twoshortplanks · · Score: 5, Informative
    It used to be the case that If you put something temporarily in a directory on your webserver (that didn't have indexes turned) on you could simply give the URL of the file to a couple of people to have a quick look at and not have to worry about putting a password on the file. Because it wasn't linked from anywhere unless someone could guess the URL then no-one else wouldn't be able to find it.

    This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

    --
    -- Sorry, I can't think of anything funny to say here.
    1. Re:I blame the Google Toolbar for a lot of this by Max+Romantschuk · · Score: 5, Informative

      The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

      Nasty? Yes.

      But then again, as far as I know Google does respect robots.txt. It's not hard to make a robots.txt file to exclude whatever dir you wish to use for temporary private viewing.

      And it's not that hard (on Apache servers) to make an appropriate .htaccess file either.

      --
      .: Max Romantschuk :: http://max.romantschuk.fi/
    2. Re:I blame the Google Toolbar for a lot of this by RsG · · Score: 5, Interesting

      Not to troll, but "real security and ease of use"? That's a contradiction in terms. Any system thats easy to use is almost certainly easy to crack (hint, the crackers have as easy a time as the user). Any secure system usually requires long passwords, encryption keys or something equally challenging. If your users keep their passwords the same for all systems, or have accessable copies to remind them, then the system isn't secure (remember last week when Gabe Newall's forum accounts got hacked because he used the same friggin password and it was easy to guess?)
      If you mean security through obscurity then you're describing the current situation on the net, but the article states that Google is removing the obscurity aspect by making the entire net accessible. We no longer have any kind of assurance than a given nook or cranny is too obscure to bother with.
      I agree that people shouldn't leave their personal data lying around, but to simply assume that the general public can adopt security measures that we, the /. crowd, consider adequate and easy to use is silly. What we need is internet education (the do's and do not's for the clueless).

      --
      Erotic is when you use a feather. Exotic is when you use the whole chicken.
    3. Re:I blame the Google Toolbar for a lot of this by xQx · · Score: 5, Informative

      The only problem with that is that hackers have a tendency not to respect robots.txt .. in fact, it's a great index of stuff to have a look at on public websites.

    4. Re:I blame the Google Toolbar for a lot of this by WoofLu · · Score: 5, Funny

      whoa, your `cat` utility seems to get you to a root shell ^^

      maybe it's a new security hole? q:

  3. Googledorks by tb()ne · · Score: 5, Informative

    I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.

  4. Re:Nothing wrong with this... by stromthurman · · Score: 5, Informative

    This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.

    --
    I have discovered a truly remarkable sig which this margin is too small to contain.
  5. Liability by usefool · · Score: 5, Interesting

    Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

    Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.

    --
    Uselessful technology (Air-Charged
  6. Re:Nothing wrong with this... by psyklopz · · Score: 5, Insightful

    It often has very little to do with *you*.

    It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.

    It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't

  7. Try phpMyAdmin by Anonymous Coward · · Score: 5, Interesting

    Very popular is the search for "Welcome to phpMyAdmin".

    This will give you some nice databases to browse through.

  8. How many of you... by curne · · Score: 5, Funny

    How many people dug out their own visa cards and googled for the number ? :-) I managed to stop
    myself.

    --
    All interpreted languages are abstractions over Lisp
    1. Re:How many of you... by Dr.+Hok · · Score: 5, Funny

      If you are worried about privacy, give me your visa number and I google for you. This will hide the connection between your name and the number.

      --
      Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
  9. Time to join the 21st Century by WallaceSz · · Score: 5, Insightful
    Information on the internet is publicly available. Google simply makes it easier for people to find publicly available material. Same for third party apps like Google Alert that allow you to search on a regular basis for certain terms.

    Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.

    The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.

  10. W00t! by tgd · · Score: 5, Funny

    Just ordered a computer that can actually play Doom 3!

    Thanks Slashdot!

  11. Terrifying by corby · · Score: 5, Interesting

    I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.

    It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.

    Is there anything we can advise these people to do to minimize the damage at this point?

  12. A couple more fun examples: by Anonymous Coward · · Score: 5, Funny

    Don't publish this on ... hey!

    Who needs P2P?

  13. Re:What I'm more surprised by by phreakv6 · · Score: 5, Informative

    That feature has been here for sometime.If you want a list of all such obscure features
    of google check this

    --
    fifteen jugglers, five believers
  14. Re:Nothing wrong with this... by HeghmoH · · Score: 5, Insightful

    It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  15. Re:Nothing wrong with this... by chrish · · Score: 5, Funny

    c.f. Microsoft's success in computer software.

    --
    - chrish
  16. Dammit! by beaverbrother · · Score: 5, Funny

    Thats my credit card number!

    1. Re:Dammit! by Anml4ixoye · · Score: 5, Funny
      Thats my credit card number!
      -------

      Get a free ipod! [freeipods.com]

      Thanks! Just did!

      --
      Random Musings
  17. P2P is Worse by deebaine · · Score: 5, Interesting

    On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.

    I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.

    -db

  18. Some of them plants? by tekiegreg · · Score: 5, Insightful

    At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...

    --
    ...in bed
  19. Re:Nothing wrong with this... by AnwerB · · Score: 5, Insightful

    It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.

    You do realize that to do business on line, you would still have to give them your pin, right?

    It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.

  20. Re:Nothing wrong with this... by skaffen42 · · Score: 5, Insightful

    You know, I really wish the paranoia about using credit cards on the internet will go away.

    Think about this as somebody with some technical background. What is more secure?
    1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
    2. Providing your credit card number to Amazon.

    So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.

    I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.

    --
    People couldn't type. We realized: Death would eventually take care of this.
  21. Will Visa numbers get slashdotted? by atomic-penguin · · Score: 5, Funny

    Soon enough all valid Visa numbers will be slashdotted by orders at ThinkGeek.

    --
    /^([Ss]ame [Bb]at (time, |channel.)){2}$/
  22. Just Call Them and help them out. by freality · · Score: 5, Interesting

    I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.

  23. Re:One-time numbers are key by EtherMonkey · · Score: 5, Informative

    Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments, and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.

    I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.

    Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.

    But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.

    The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.

    And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.

    There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).

    How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.

    Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.
    --
    --- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]