This file also reveals the product key of the installed software, which could be re-used to install the software illegally. Last but not least, check out Figure 11.61, submitted by CP. Figure 11.61 Hey, Can I Get All Your Web Passwords? This document lists usernames and passwords for various websites.The document was stored on a website, presumably to allow the owner easy remote access to it. However, at some point the document’s location was made public, and Google dutifully crawled it. Remember, public websites are generally just that—public. Don’t combine public and pri- vate data without a great deal of forethought. Police Reports From what I understand, most police records are a matter of public record. So it doesn’t sur- prise me when I see police reports like the one shown in Figure 11.62. Google Hacking Showcase • Chapter 11 461 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 461 Figure 11.62 Police Reports Are Public Record. Okay. However, when I find a police report like the one shown in Figure 11.63, I begin to question the sanity of posting unfiltered police records. 462 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 462 Figure 11.63 That Means Your Victoria’s Secret Account Info Is Too This police report records the details of a theft of a woman’s purse.The problem is that the contents of the woman’s purse are listed in great detail, including the account number of her Victoria’s Secret card! This is not the only occurrence of such a detailed police report found on the web. Figure 11.64 shows another more revealing report. Figure 11.64 Robbed Twice, Thanks To Open Police Reports Google Hacking Showcase • Chapter 11 463 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 463 This report details another petty theft, this time listing the account numbers of the Visa and MasterCard credit cards that were stolen. It’s very likely that the cards were cancelled immediately after they were reported stolen, but the police report shown in Figure 11.65 lists personal numbers that are not as easy to replace. Figure 11.65 Police Report Triple Robbery or “Mom, I have bad news”. In this case, not only is the victim’s driver’s license number posted, but their social security number is listed alongside their mother’s driver’s license number—all of this posted on a public website, ripe for an identity thief ’s picking. 1 . Social Security Numbers The Social Security Number (SSN) is the most sensitive piece of information a United States citizen possesses. Even an inexperienced criminal can use a pilfered SSN to establish a bank account, open a line of credit or more—all under the victim’s name. In this section, we’ll take a look at some of the ways an individual’s SSN may end up online. Be advised that like the other sensitive searches in this book, every effort has been taken to obfuscate the selected documents and obscure the Google search that was used to locate them. In most educational facilities, it is common to assign an identification number to stu- dents in order to keep their grades and personal information private. However, as shown in Figure 11.66, the identification number most often used is the student’s social security number. 464 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 464 Figure 11.66 Social Security Numbers as Student ID Numbers The SSN by itself is not necessarily a big deal, and when posted alongside student’s grades (as shown in Figure 11.67) the system works well to keep student’s progress private. Figure 11.67 “Anonymous” Student Numbers and Grade Postings Google Hacking Showcase • Chapter 11 465 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 465 However, in many cases, student’s names are posted right alongside their Social Security Number, as shown in Figure 11.68.This of course destroys the anonymity gained by using an identification number instead of a name. Figure 11.68 Names and Social Security Numbers Together Again In some cases, these documents are not intended for public viewing, but somehow end up on Internet-facing websites.This is, of course, an unsafe handling practice and the docu- ments end up in Google’s cache.The document shown in Figure 11.69 was discovered sit- ting in an open directory by an anonymous Google hacker. Notice that it lists student’s names, SSN and more.To make matters worse, this document was found on a US Government training facility website.The document has since been removed. 466 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 466 Figure 11.69 SSN and Names, an ID Thief’s Birthday Present Social Security numbers appear on the web in other ways, most notably through user ignorance.The resume request shown in Figure 11.70 lists an individual’s SSN in a message group post. Figure 11.70 Hire This Guy. Here’s His SSN. Google Hacking Showcase • Chapter 11 467 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 467 The document shown in Figure 11.71 is known as curriculum vitae, or a CV. I wasn’t sure what a CV was, but after a bit of research I discovered it is a sort of résumé for really smart people. Figure 11.71 I’m Smart. Want to See My CV? As for me, I think I’ll keep my plain old résumé, especially if maintaining a CV means that I have to publicly expose my birthday and social security number. Finally, check out the spreadsheet shown in Figure 11.72 which lists the name, date of birth, sex, date of hire and SSN of a company’s employees. 468 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 468 Figure 11.72 Employee Out Of the Closet Day Credit Card Information Credit card numbers are obviously very valuable, and should be kept well protected. However, as we’ll see in this section, those numbers can be found on the web with very little effort. Figure 11.73 shows a relatively small document that lists a Visa credit card number alongside the associated expiration date. Google Hacking Showcase • Chapter 11 469 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 469 Figure 11.73 Google Hacking Credit Card Info Figure 11.74 shows a larger document that lists no only credit card numbers and their associated expiration dates, but also the card certification value (CVV) number which is often used to validate that the card is in the hands of a legitimate bearer. Figure 11.74 Google Hacking More Credit Card Info 470 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 470 . of a legitimate bearer. Figure 11.74 Google Hacking More Credit Card Info 470 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 470 . company’s employees. 468 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 468 Figure 11.72 Employee Out Of the Closet Day Credit Card Information Credit card numbers are. very little effort. Figure 11.73 shows a relatively small document that lists a Visa credit card number alongside the associated expiration date. Google Hacking Showcase • Chapter 11 469 452 _Google_ 2e_11.qxd