Google Yourself To Identify Security Holes

by Tony Bradley [Published on 15 March 2005 / Last Updated on 15 March 2005]

Google is very good at what it does. It automatically and systematically catalogues every document, image, web site or other data that is web accessible so that it can be quickly retrieved using the Google search engine. That includes potentially sensitive or confidential data that wasn't intended to be shared publicly. Google your own network or sites to identify possible security holes.

Try entering your name in a Google search. To narrow results to only those with your full name you should enclose your name in quotation marks. You might be surprised to find out how much information about you is available on the Web. You can do Google searches on a wide variety of information such as your phone number or your social security number and you might discover that there is more sensitive information about you available to the public than you would prefer.

For corporate networks, the efficiency of the Google robots at voraciously collecting any data available on the Web may compromise network security or reveal sensitive information or company trade secrets that should not be available to the public.

Some say Google shouldn't do that or ask that Google remove such information. But, you can't shoot the messenger. Google is just displaying what is available. If sensitive or confidential corporate information is available on the Web the proper thing to do is to find it and protect it within your network, not blame Google for finding it.  In fact, there are tools available to help you find such information before an attacker can get a hold of it.

Two such tools are SiteDigger 2.0, a free tool from Foundstone, a division of McAfee, and the Wikto Web Assessment tool. Both utilities require that you install the Microsoft .NET framework and a Google API Key for full functionality. These tools will scan a designated Web site or domain and identify potential vulnerabilities, configuration issues, proprietary information, and other potential security concerns. 

For complete details about the perils that Google may represent to your network or Web site, check out Johnny Long's book, Google Hacking for Penetration Testers, or his Web site at http://johnny.ihackstuff.com.

To download the tools mentioned above, you can use these links:

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

See Also

Featured Links