Upload File

s01 s3 emin islam

of 21 /21
Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin ˙ Islam Tatlı [email protected] Department of Computer Science, University of Mannheim (on leave to the University of Weimar) Fidis Third International Summer School Karlstad-Sweden, 6-10 August 2007 Emin ˙ Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Upload: jozsef-szabo

Post on 26-Oct-2015

56 views

Category:

Documents


5 download

Report

Tags:

Embed Size (px)

TRANSCRIPT

Page 1: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Google Hacking against Privacy

Emin Islam Tatlı[email protected]

Department of Computer Science, University of Mannheim(on leave to the University of Weimar)

Fidis Third International Summer School Karlstad-Sweden,6-10 August 2007

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 2: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Outline

1 Google Hacking

2 Privacy SearchesIdentification DataSensitive DataConfidential DataSecret Data

3 Countermeasures

4 Future Work

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 3: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Motivation

Google has the index size over 20 billion entries

try to search -"fgkdfgjisdfgjsiod"

Hackers use google to search vulnerabilities

called Google Hackingvulnerable servers, files and applications, files containingusernames-passwords, sensitive directories, online devices, etc.Google Hacking Database [1] ⇒ 1423 entries in 14 groups (byJuly 2007)

What about Private Data?

In this talk, we find out many private data with google

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 4: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Advanced Search Parameters

[all]inurl

[all]intext

[all]intitle

site

ext, filetype

symbols: - . * |

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 5: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Examples of Google Hacking I

Unauthenticated programs

"PHP Version" intitle:phpinfo inurl:info.php

Applications containing SQL injection & path modificationvulnerabilities

"advanced guestbook * powered" inurl:addentry.php

intitle:"View Img" inurl:viewimg.php

Security Scanner Reports

"Assessment Report" "nessus" filetype:pdf

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 6: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

MotivationAdvanced Search ParametersExamples of Google Hacking

Examples of Google Hacking II

Database applications&error files

"Welcome to phpmyadmin ***" "running on * asroot@*" intitle:phpmyadmin

"mysql error with query"

Online Devices

inurl:"hp/device/this.LCDispatcher"

intitle:liveapplet inurl:LvAppl

"Please wait....." intitle:"SWW link"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 7: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Privacy Searches

1 Identification Data

2 Sensitive Data

3 Confidential Data

4 Secret Data

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 8: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Identification Data I

Data related to the personal identity of Users

Name, address, phone, etc.

allintext:name email phone address intext:"thomasfischer" ext:pdf

Twiki inurl:"view/Main" "thomas fischer"

Curriculum Vitae

intitle:CV OR intitle:Lebenslauf "thomas fischer"

intitle:CV OR intitle:Lebenslauf ext:pdf ORext:doc

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 9: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Identification Data II

Usernames

intitle:"Usage Statistics for" intext:"TotalUnique Usernames"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 10: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Sensitive Data I

Data which is normally public but whose reveal may disturb itsowner

Postings in Forums and Mailinglists

inurl:"search.php?search author=thomas"

inurl:pipermail "thomas fischer"

Sensitive Directories

intitle:"index of" inurl:"backup"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 11: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Sensitive Data II

Web 2.0

"thomas fischer" site:blogspot.com

"thomas" site:flickr.com

"thomas" site:youtube.com

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 12: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Confidential Data I

Data that is expected to stay confidential against unauthorizedaccess

Chat Logs

"session start" "session ident" thomas ext:txt

Private Emails

"index of" inbox.dbx

"To parent directory" inurl:"Identities"

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 13: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Confidential Data II

Confidential Directories and Files

"index of" (private | secure | geheim | gizli)

"robots.txt" "User-agent" ext:txt

"This document is private | confidential |secret" ext:doc | ext:pdf | ext:xls

intitle:"index of" "jpg | png | bmp"inurl:personal | inurl:private

Online Webcams

intitle:"Live View / - AXIS" |inurl:view/view.shtml

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 14: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Secret Data I

Non-public Data

Usernames and Passwords

"create table" "insert into""pass|passwd|password"(ext:sql|ext:dump|ext:dmp|ext:txt)

"your password * is" (ext:csv | ext:doc |ext:txt)

Secret Keys

"index of" slave datatrans OR from master

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 15: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Identification DataSensitive DataConfidential DataSecret Data

Secret Data II

Private Keys

"BEGIN (DSA|RSA)" ext:key

"index of" "secring.gpg"

Encrypted Messages

-"public|pubring|pubkeysignature|pgp|and|or|release"ext:gpg

-intext:"and" (ext:enc | ext:axx)

"ciphervalue" ext:xml

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 16: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Privacy Countermeasures I

User-self protection

Do not make any sensitive data like documents containing youraddress, phone numbers, backup directories, secret data likepasswords, private emails, etc. online accessible to the public.Provide only required amount of personal information for theWiki-similar systems.Use more pseudonyms over InternetConsidering forum postings and group mails, try to stayanonymous for certain email contentsDo not let private media get shared over Web2.0 servicesActivate authentication mechanisms for your online devices

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 17: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Privacy Countermeasures II

System-wide protection

Use automatic tools to check your system (e.g. gooscan,sitedigger, goolink)

Use Robot Exclusion Standart (robots.txt)

Be aware of database backups containing usernames andpasswords

Install and manage Google Honeypot [2]

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 18: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Sitedigger

Sitedigger [4]

free from Foundstonecompany

supports both GHD andFoundstone’s own hackingdatabase

for a given host, all entries inthe database are queried

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 19: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Future Work

We are implementing the tool for automatic searches of privatedata via Google

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 20: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

Conclusion

Search engines index our private data and make public

User privacy is in danger

We need to take the required privacy countermeasures andprotect our privacy

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy

Page 21: S01 S3 Emin Islam

OutlineGoogle Hacking

Privacy SearchesCountermeasures

Future WorkConclusion

References

Google Hacking Database. http://johnny.ihackstuff.com

Google Hack Honeypot Project. http://ghh.sourceforge.net

Goolink- Security Scanner.www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/

SiteDigger v2.0 - Information Gathering Tool.http://www.foundstone.com

Gooscan - Google Security Scanner.http://johnny.ihackstuff.com

Emin Islam Tatlı (University of Mannheim) Google Hacking against Privacy


ISSUE #S01: SCOTOPHOBIA
S01 Hydraulic Cartridge
S01 Intro ML
Emin ÇİFTÇİ, Prof. Dr
Mahmut emin yıldız ingilice ödevi
EMIN SG Glasgrid Manual
1 Security Challenges of Location-Aware Mobile Business Emin Islam Tatlı, Dirk Stegemann Theoretical Computer Science, University of Mannheim February
Iuwne10 S01 L05
Training feedback Emin Eyvazov img300
Emin sg atlantis_zanjas_infiltracion_loteo_laguna_del_sol
63-S01 BUTTRESS STYLE CLOSURES 63-S01-2311 Uphxpkg.com/.../02/PHX_SpecSheet_63-S01-2311_Final.pdf · 63-S01-2311 U MARKETS Food, Food Oil/Service, Household Chemicals, Automotive,
S01 ad5008 ss02
S01 - Data Types
S01 Hydraulic Cartridges.pdf
S01 Introduction
S01 · Title: S01.doc Created Date: 9/12/2005 9:24:15
S01 - General
63-S01 BUTTRESS STYLE CLOSURES 63-S01-9312 Uphxpkg.com/wp-content/uploads/2018/02/PHX_SpecSheet_63-S... · 2018. 6. 21. · 63-S01 BUTTRESS STYLE CLOSURES 63-S01-9312 U MARKETS Food,
Adhesion - EMIN
Emin sg atlantis_green_building_solutions_2013
S01 sunny blue
Amesim English s01
Emin sg chance sistema anclaje
Emin sg fundaciones subestaciones transmision
malzeme -seçkin,emin,gökhan
Iuwne10 S01 L06
Iuwne10 S01 L02
Bellona MVP s01
Catalogue S01 Download
ZONING COMMISSION S01
Emin sg aplicaciones energia solar
Laptop Emin
S01 APENDICECTOMIA
BLACK S01.LOOKBOOK
Ecomotor - s01.s3c.es