Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security Businesses Google The Internet

Searching For Trouble With Google 506

Posted by timothy
from the dirty-deeds-done-dirt-cheap dept.
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
This discussion has been archived. No new comments can be posted.

Searching For Trouble With Google

Comments Filter:
  • this was on cryptome (Score:5, Informative)

    by jabella (91754) * on Wednesday September 01, 2004 @07:13AM (#10126857) Journal
    This was on bugtraq a week or two ago:

    Check it out [securityfocus.com] and there was a discussion of it a few days later.

    Someone actually has a whole forum dedicated to finding things you can do with google here. [ihackstuff.com]

    Apparently this was even a DEFCON speech subject.
    • by Anonymous Coward
      Someone actually has a whole forum dedicated to finding things you can do with google here.

      Another good site is searchlores.org [searchlores.org]

      It doesn't limit itself only to Google.

    • Yes and they also mentioned that this wasn't as big a deal as people think.
      For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
      The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card n
  • by twoshortplanks (124523) on Wednesday September 01, 2004 @07:14AM (#10126861) Homepage
    It used to be the case that If you put something temporarily in a directory on your webserver (that didn't have indexes turned) on you could simply give the URL of the file to a couple of people to have a quick look at and not have to worry about putting a password on the file. Because it wasn't linked from anywhere unless someone could guess the URL then no-one else wouldn't be able to find it.

    This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

  • Quicken files (Score:5, Insightful)

    by Space cowboy (13680) * on Wednesday September 01, 2004 @07:14AM (#10126863) Journal
    I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...

    Simon
    • What I'm wondering is....

      Can I mirror these files on my web site?

      I've downloaded a few but don't plan on doing anything dirty. Maybe I'll send out a few letters telling people that they should watch what they post on-line

      I can see the reponse:

      "Honey, do you know anyone named 'ImaLamer'?"

      "No dear"

      "Well, he or she claims that your bank information is online"

      "Must be some sort of scam sweetie, toss it"

  • FBI use? (Score:5, Insightful)

    by SynKKnyS (534257) on Wednesday September 01, 2004 @07:14AM (#10126864)
    Looks more like Google found forums where people were swapping credit card numbers.
  • Priceless (Score:5, Funny)

    by Killjoy_NL (719667) <slashdotNO@SPAMremco.palli.nl> on Wednesday September 01, 2004 @07:16AM (#10126871)
    Good thing I've got a Mastercard then :)
  • by suso (153703) on Wednesday September 01, 2004 @07:16AM (#10126876) Homepage Journal
    is that you can search for ranges of numbers like that in google. That's pretty neat.
  • Googledorks (Score:5, Informative)

    by tb()ne (625102) on Wednesday September 01, 2004 @07:16AM (#10126878)
    I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.
  • Liability (Score:5, Interesting)

    by usefool (798755) on Wednesday September 01, 2004 @07:18AM (#10126893) Homepage
    Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

    Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.
    • Re:Liability (Score:3, Insightful)

      by swillden (191260) *

      If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

      Bad analogy. A better one: If the neighbor posts his naked photo on a public bulletin board, does that mean you can show other people where it is?

      Stuff that's on the web is there because someone put it there, i.e. they published it. The fact that they may not have *meant* to publish it doesn't change the fact that they did. If you place an ad in the newspaper, but screw up and give the paper

  • Try phpMyAdmin (Score:5, Interesting)

    by Anonymous Coward on Wednesday September 01, 2004 @07:20AM (#10126904)
    Very popular is the search for "Welcome to phpMyAdmin".

    This will give you some nice databases to browse through.
    • Re:Try phpMyAdmin (Score:3, Informative)

      by liquidpele (663430)
      Not just wide open dbs though...
      A lot of small sites don't check for sql-injection for login info, and use root as the mysql user. yikes!
    • eBooks (Score:3, Interesting)

      by upside (574799)
      Another good one is searching for copywrite phrases found on front pages of eBooks such as O'Reilly CD Bookshelves. People seem to put up their eBooks for their own convenience. OTOH publishers seem to be doing a bit of Googling of their own, as they tend to be taken down pretty soon. Nothing that a quick WGET won't handle...
  • by curne (133623) <curne&curnomatic,dk> on Wednesday September 01, 2004 @07:20AM (#10126905) Homepage
    How many people dug out their own visa cards and googled for the number ? :-) I managed to stop
    myself.
  • by Epistax (544591) <epistax AT gmail DOT com> on Wednesday September 01, 2004 @07:20AM (#10126906) Journal
    Having google blocked (presumably from google's end) from this is just security through obscurity. Well it's not even that really, it means there is (1) stuff available in plain text which is a part of a website's (2) public access AND (3) for one reason or another has searching enabled. The problem is part 1 and/or 2, the symptom is 3. Cure the problem, not the symptom.
  • Same for SSNs (Score:4, Informative)

    by bcarl314 (804900) on Wednesday September 01, 2004 @07:21AM (#10126913)
    Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.

    I just can't figure out why people would be victim to identity theft.
  • by WallaceSz (643543) on Wednesday September 01, 2004 @07:22AM (#10126919)
    Information on the internet is publicly available. Google simply makes it easier for people to find publicly available material. Same for third party apps like Google Alert [googlealert.com] that allow you to search on a regular basis for certain terms.

    Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.

    The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.

  • W00t! (Score:5, Funny)

    by tgd (2822) on Wednesday September 01, 2004 @07:22AM (#10126921)
    Just ordered a computer that can actually play Doom 3!

    Thanks Slashdot!
  • Terrifying (Score:5, Interesting)

    by corby (56462) * on Wednesday September 01, 2004 @07:24AM (#10126929)
    I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.

    It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.

    Is there anything we can advise these people to do to minimize the damage at this point?
    • Re:Terrifying (Score:4, Insightful)

      by zoeblade (600058) on Wednesday September 01, 2004 @08:15AM (#10127294) Homepage

      Is there anything we can advise these people to do to minimize the damage at this point?

      That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.

    • Re:Terrifying (Score:3, Interesting)

      by hugesmile (587771)
      Here's an idea:

      Notify them via a phone call, using the Relay phone system [att.com] for the deaf.

      Not exactly a good use of the service that we all pay for, but it's fairly anonymous, and you can be non-threatening.

    • by freality (324306) on Wednesday September 01, 2004 @10:15AM (#10128654) Homepage Journal
      I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.
  • by Anonymous Coward on Wednesday September 01, 2004 @07:24AM (#10126933)
  • by Fortress (763470) on Wednesday September 01, 2004 @07:27AM (#10126963) Homepage
    of the VISA/Google search is that VISA is a sponsored link. Kind of like Microsoft advertising on a website that bashes it for its security holes...wait a minute...
  • The sad thing... (Score:5, Insightful)

    by Sinistar2k (225578) on Wednesday September 01, 2004 @07:38AM (#10127041)
    The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.
    • by TheLink (130905)
      The other sad thing is people actually think it's such a big risk to cardholders.

      Without the signature a cardholder can repudiate the transaction. So if you didn't buy the stuff, just tell the Issuing Bank that you didn't and just don't pay for that transaction.

      Then either the Merchant loses or the Bank loses. You, the cardholder don't unless you use a crappy card company that charges you to reissue a new card. Of course there's the inconvenience of being short of one usable credit card. But it's not as b
    • no probs, I just googled for 5454178568431210..5454178568431212. Anyway, this thing expires the end of next month. Anyone know what that 481 on the signature strip is for?

      --
      A N Other.
      • Re:The sad thing... (Score:3, Informative)

        by ibennetch (521581)
        It's some sort of extra protection measure that isn't encoded in the magnetic strip and therefore needs to be entered manually...not used all of the time but when it is used it prevents someone from using a magnetic cardswipe to steal your number...the credit card company knows that number and sometimes requires it for authorization
      • by LordPixie (780943) * on Wednesday September 01, 2004 @10:18AM (#10128691) Journal
        Anyone know what that 481 on the signature strip is for?

        It actually depends on what the name is on the front of the card. It has different meanings for different names.

        Yours would be.... ?


        --LordPixie
  • by Gleng (537516) on Wednesday September 01, 2004 @07:45AM (#10127079)

    Norton DumbWall 2004

    Featuring:

    • VisaBlock: Keep your credit card information off of the Internet
    • NoShare: Safeguard your banking details and MP3s from prying eyes
    • PackAway: If you're deemed to be too stupid to own a computer, Norton DumbWall 2004 will format your hard drive and arrange for one of our qualified technicians to come over to your house and take your computer away. It's for your own good.

    Order now and get a free drool-bib.

  • Dammit! (Score:5, Funny)

    by beaverbrother (586749) on Wednesday September 01, 2004 @07:47AM (#10127092)
    Thats my credit card number!
  • P2P is Worse (Score:5, Interesting)

    by deebaine (218719) on Wednesday September 01, 2004 @07:54AM (#10127119) Journal
    On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.

    I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.

    -db
  • Suppositions (Score:4, Informative)

    by AviLazar (741826) on Wednesday September 01, 2004 @07:54AM (#10127122) Journal
    This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."

    Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
  • by tekiegreg (674773) * <tekieg1-slashdot@yahoo.com> on Wednesday September 01, 2004 @07:55AM (#10127132) Homepage Journal
    At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...
  • AVS (Score:3, Informative)

    by barcodez (580516) on Wednesday September 01, 2004 @08:02AM (#10127178)
    Any website that accepts credit card payments worth using will require an AVS number and address.

    As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.

    With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.
  • TWO WORDS!!!!!! (Score:5, Interesting)

    by spidergoat2 (715962) on Wednesday September 01, 2004 @08:34AM (#10127469) Journal
    "Parent directory". That Google search is the most fun you can have with your clothes on.
  • by telemonster (605238) on Wednesday September 01, 2004 @08:49AM (#10127610) Homepage
    A while ago SOME GUY ON IRC personal Cabletron switch puked out, so SOME GUY ON IRC needed a new firmware image. Low and behold, SOME GUY found an account via google. Some school posted theirs online. (Cabletron makes overpriced gear sold to gov't mainly, you can generally get enterprise level huge switches on ebay for $5, since it doesn't carry the Cisco name.). Oh that was a lucky find, since hardly anyone uses Cabletron (now Enterasys) equipment, it is hard to find unlike Cisco CCO accounts.

    Google rocks! Don't forget to google for your FLEXLM license files for your Solaris and similar systems, or your crusty Digital licenses for VMS, OSF/1, etc.

  • Soon enough all valid Visa numbers will be slashdotted by orders at ThinkGeek.
  • by rfc1394 (155777) <Paul@paul-robinson.us> on Wednesday September 01, 2004 @11:09AM (#10129374) Homepage Journal
    His example only selects cards belongng to one issuer (because the first 4 digits are the same), and only got 8 hits. Let' not be pikers and do the whole range of Visa Cards; the number 4 followed by 15 digits. And let's do Mastercard (50-53 followed by 14 digits) while we're at it, let's not discriminate!

    For Visa, I did this one [google.com] and got 2450 pages of listings of credit card numbers. Doing the same for Master Card [google.com] returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express [google.com], where we can find a whopping 7,780 pages of listings!

    I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?

    My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.

    Oh, I forgot to troll for Social Security Numbers [google.com]. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers [google.com], and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!

    Paul Robinson

  • by sootman (158191) on Wednesday September 01, 2004 @11:22AM (#10129556) Homepage Journal
    If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.

    Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.

    However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.

A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Working...