1 / 21

Vulnerability by Insecurity

Vulnerability by Insecurity. Presented by Keith I. Daniels (SEARCH). Google Reveals Hidden Insecurities. Personnel Details Account information Credit card details Password files Detailed police reports. Who Watches the Web Designer.

aquarius
Download Presentation

Vulnerability by Insecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vulnerability by Insecurity Presented by Keith I. Daniels (SEARCH)

  2. Google Reveals Hidden Insecurities • Personnel Details • Account information • Credit card details • Password files • Detailed police reports

  3. Who Watches the Web Designer • By default, Web Designers tend to have the ultimate control over web page content • Few people in an organization know more about web page design than the designer • Executives tend to assume and expect that only data viewable on the main page or intended links is viewable by the general public

  4. Everyone Googles, But Do They Understand It? • To Understand Google is to understand security and insecurity • To the general user Google is just a box in which we put words that will result in thousands or millions of hits that can be clicked on and viewed. To most people this is sufficient

  5. How Google and Search Engines Work • Google utilizes Spiders to scour the Internet • Reporting back to the database and caching all of the pages that it finds

  6. Each Word Searches Individually and in Combination With Each of the other Words Word 3 Word 1 Word 2

  7. Boolean Searches Enhance Results • Used for General searches • Also use Boolean searching techniques • “And” is a default boolean of Google • “” • + • Or • - (minus) • Not

  8. Utilizing the Quotes “” Comparison • Identical searches in and out of quotes 5,890,000 hits 24 hits

  9. The Rule of 32 • By Default, Google permits a maximum of 32 words in a search string • Hackers and hacker types can increase this by removing small regular words and replacing them with an asterisk * • Each asterisk permits another word to be added to the string • This permits the enquiring minds of the hackers to utilize scripts that have been pre programmed

  10. The Phrase Below Would Look Like This • Hackers and hacker types can increase this by removing small regular words and replacing them with an asterisk Each asterisk permits another word to be added to the string With “and” removed also 29 words becomes 19. Now the string can have 10 more words added to it • Hackers hacker types *increase ** removing small regular words replacing them with * asterisk Each asterisk permits another word ** added ** string

  11. File Types • Google has expanded the number of non-HTML file types searched to 12 file formats • Adobe Portable Document Format (pdf) • Adobe PostScript (ps) • Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku) • Lotus WordPro (lwp) • MacWrite (mw) • Microsoft Excel (xls) • Microsoft PowerPoint (ppt) • Microsoft Word (doc) • Microsoft Works (wks, wps, wdb) • Microsoft Write (wri) • Rich Text Format (rtf) • Text (ans, txt)

  12. Advanced Operators The Real Hackers Tools Advanced operators require no space after the colon : • Cache: • Link: • Related: • Info: • Define: • Stocks: • Site: i.e training site:www.search.org • Allintitle: • Intitle: • Inurl: • Allinurl: • Numrange:

  13. Filetype: • "admin account info" filetype:log Let’s look at this site

  14. Clicking on the Link Reveals • OOPS page not found WRONG!!!!!!

  15. Finding the Page through Google Cache • Clicking on the “Cached” reveals the page in its original form Difficult username to guess….. ADMIN Password is more difficult but was easy to find

  16. Inurl:/admin/login • If someone can obtain administrator login privileges what can they do?

  17. You Found this on Google • Enter a range of numbers i.e. • Numrange:4568000000000000..4568999999999999 • The results can be astounding

  18. Prevention • Do not permit sensitive data on your website even temporarily • Proactively check your web presence with Google regularly • Assign someone to conduct these checks, not the web developer • Have this person become familiar with a website at www.johnny.ihackstuff.com (don’t forget the dot you have been warned)

  19. Prevention Continued • Site:enter your site here

  20. Site Digger www.foundstone.com • Free Software • Not for the faint of heart

  21. Contact Information Keith I. Daniels Computer Training Specialist SEARCH Group Inc 7311 Greenhaven Drive Sacramento Califronia 95831 Keith.Daniels@search.org 916-392-2550 ext 254

More Related