Figure 11.75 shows an extremely large document that contains hundreds of bits of per- sonal information about victims including name, address, phone numbers, credit card infor- mation, CVV codes and expiration dates. Figure 11.75 Google Hacking Lots of Credit Card Info However, credit card numbers and expiration dates aren’t the only financially sensitive bits of information on the web, as shown in Figure 11.76. NOTE Most often, information like this is collected by phishers—criminals using electronic communication to solicit personal information—and kept in an online list or database. In many cases, investigators locate these lists or databases and post links to them in online discussion groups. When Google’s crawlers follow the link, the captured data is exposed to Google Hackers. In Google Hacking Showcase • Chapter 11 471 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 471 other cases, carders (credit card number traders) post this data on the web in open-air web discussions, which Google then crawls and caches. For more information about phishing, see Phishing Exposed from Syngress Publishing. Figure 11.76 Is Nothing Sacred? These samples were collected from various web sites, and include bank routing numbers, PayPal usernames and passwords, eBay usernames and passwords, bank account and routing numbers and more, most likely collected by phishers. Beyond Google In some cases, Google is the first step in a longer hacking chain. Decent hackers will often take the next step beyond Google. In this section, we’ll take a quick look at some interesting Google hacks that took an extra few steps to pull off. Still simple in execution, these exam- ples show the creative lengths hackers will go to. This first screenshot, shown in Figure 11.77 (submitted by CP) reports that a staff direc- tory has been removed from the web for privacy purposes. 472 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 472 Figure 11.77 Staff Contact List Removed? This isn’t a bad idea, but the problem is that the old document must also be removed from the website, or sites like archive.org will hold onto the document’s link indefinitely. Figure 11.78 shows the staff contact document pulled from the original website, thanks to a link from archive.org. Google Hacking Showcase • Chapter 11 473 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 473 474 Chapter 11 • Google Hacking Showcase Figure 11.78 Staff Contact List Recovered In this next example, a Google hacker noticed a password reference sitting in a PDF document, as shown in Figure 11.79. 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 474 Figure 11.79 A PDF File Password Reference When downloaded, the PDF file does indeed contain a password reference. In this case, it comes in the form of a link to a password-protected PDF document as shown in Figure 11.80. Figure 11.80 A Link to a Protected Document, And the Associated Password As seen in Figure 11.81, the referenced PDF file is indeed password protected. Google Hacking Showcase • Chapter 11 475 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 475 Figure 11.81 Password Protected PDF Document Entering the password opens the document, as shown in Figure 11.82. Figure 11.82 Sensitive Document Open with Pilfered Password 476 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 476 It makes no sense to password a document and give out the password, but in this case the problem occurred because the original document containing the password reference was not meant to be public. In this case, the blunder lead to the revelation of a sensitive Government document. Summary This chapter is all about what can go drastically wrong when the Google hacking threat is ignoredUse this chapter whenever you have trouble conveying the seriousness of the threat. Help spread the word, and become part of the solution and not part of the problem. And before you go sending cease and desist papers to Google, remember—it’s not Google’s fault if your sensitive data makes it online. 1 We’re obviously in tricky water here, as these are dangerous searches indeed. All identifying information in these and following searches has been blurred out, and any information that could lead to the recreation of the Google query has been removed as well. Additionally, most of the sensitive documents found in this chapter have since been removed from the web. Google Hacking Showcase • Chapter 11 477 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 477 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 478 479 Protecting Yourself from Google Hackers Solutions in this chapter: ■ A Good, Solid Security Policy ■ Web Server Safeguards ■ Hacking Your Own Site ■ Getting Help from Google ■ Links to Sites Chapter 12  Summary  Solutions Fast Track  Frequently Asked Questions 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 479 Introduction The purpose of this book is to help you understand the tactics a Google hacker might employ so that you can properly protect yourself and your customers from this seemingly innocuous threat.The best way to do this, in my opinion, is to show you exactly what an attacker armed with a search engine like Google is capable of.There is a point at which we must discuss in no uncertain terms exactly how to prevent this type of information exposure or how to remedy an existing exposure.This chapter is all about protecting your site (or your customer’s site) from this type of attack. We’ll look at this topic from several perspectives. First, it’s important that you understand the value of strong policy with regard to posting data on the Internet.This is not a technical topic and could very easily put the techie in you fast asleep, but a sound security policy is absolutely necessary when it comes to properly securing any site. Second, we’ll look at slightly more technical topics that describe how to secure your Web site from Google’s (and other search engine’s) crawlers. We’ll then look at some tools that can be used to help check a Web site’s Google exposure, and we’ll spend some time talking about ways Google can help you shore up your defenses. Underground Googling Where Are the Details? There are too many types of servers and configurations to show how to lock them all down. A discussion on Web server security could easily span an entire book series. We’ll look at server security at a high level here, focusing on strategies you can employ to specifically protect you from the Google hacker threat. For more details, please check the references in the “Links to Sites” section. A Good, Solid Security Policy The best hardware and software configuration money can buy can’t protect your resources if you don’t have an effective security policy. Before implementing any software assurances, take the time to review your security policy. A good security policy, properly enforced, out- lines the assets you’re trying to protect, how the protection mechanisms are installed, the acceptable level of operational risk, and what to do in the event of a compromise or disaster. Without a solid, enforced security policy, you’re fighting a losing battle. 480 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 480 . hundreds of bits of per- sonal information about victims including name, address, phone numbers, credit card infor- mation, CVV codes and expiration dates. Figure 11.75 Google Hacking Lots of Credit. online discussion groups. When Google s crawlers follow the link, the captured data is exposed to Google Hackers. In Google Hacking Showcase • Chapter 11 471 452 _Google_ 2e_11.qxd 10/5/07 1:19. (submitted by CP) reports that a staff direc- tory has been removed from the web for privacy purposes. 472 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 472 Figure