Hacker techniques use Google to unearth sensitive data

Digital security miscreants who know where to look could use Googles search tools to unearth tons of sensitive company data, including intellectual property and passwords, according to one security expert.

IT professionals must learn the bad guys' techniques so they can keep an eye on Google to ensure their crown jewels aren't ending up in the public domain, said Tom Bowers, managing director of Security Constructs LLC and the former manager of information security operations at a Fortune 100 pharmaceutical company.

"If something ends up on Google it becomes public information," Bowers said at last week's SecureWorld conference in Boston. "It's your job to see if your intellectual property is on Google and to come up with the right defenses so it doesn't happen."

Bowers isn't the first security expert to warn that Google could be used to unearth company secrets. Penetration tester Johnny Long has made headlines explaining ways to turn Google into a malicious tool, and his johnny.ihackstuff.com Web site includes a "Google hacking database." But Bowers said many companies still have no idea how real the Google threat is.

Hacking Google: Google boosts privacy, but storage glut continues: Google is right in making its server log data anonymous after 18-24 months. But the mammoth amount of data being collected is still a major concern. Google Code Search gives security experts a sinking feeling: The new search tool from Google can help developers find useful code examples. But security experts worry that it also will make attackers' jobs that much easier. Google Code Search -- Finding security flaws has never been easier: While Google Code Search may offer a number of benefits that will help improve application security, hackers have learned how to use the search giant's code-finding engine to exploit security weaknesses.

Google announced last week it will start putting a shield of anonymity in front of the vast volume of information it collects from millions of global users to make it tougher for people to trace online search requests back to the people making them. But there's no indication that this will reduce the particular risk Bowers outlined. One reason is that hackers have shown a knack for getting around such defensive shields.

Bowers noted that many Google hackers are seasoned spies who once worked for communist regimes. "When the Berlin wall fell, spies were out of work and they turned to economic spying," he said. He also noted that pharmaceutical companies have been known to hire intelligence gatherers to learn more about their competitors.

Google hackers can zero in on their prey using Google's refine search tool and look for financial filings and security analyst reports that are potential goldmines of information. More specialised Google tools hackers find handy include Google Earth, Google Patent Search and Google Blog Search.

Google Earth can provide spies with satellite photos of competitors' plants, Bowers said. If a company includes too much information in one of its patents, then Google Patent Search can be especially valuable.

"Once you have a patent, that becomes public information, so now you have to be really careful about what you put in them," he said. "Put just enough in there to make it unique and patentable, but don't put too much in there so that your competitors can read it and duplicate your process. Patents can be a real treasure trove of information."

Blogs can also be an excellent source of information for one company to use against another, he said. A lot of ideas are shared in the blogosphere, and sometimes a lot of intellectual property is shared as well.

But, Bowers said, perhaps the best intelligence tool is Google Alerts, which pushes content to the user based on their customised specifications.

"You can collect under such search terms as data mining, business intelligence and computer forensics," he said. "My Google alerts are sent to me in a daily email. It's very easy to use and you can quickly use it to find information on your company and start an investigation" as to how it got there.

Bowers has found that Google can also be used to dig up spreadsheets companies assume have been destroyed. Some of those spreadsheets may include such juicy details as user names and passwords. In one case, he managed to find a spreadsheet loaded with account names and passwords.

For IT professionals who go looking for their company data on Google, Bower's advice is to start with a question, then refine the search, ask more questions and refine the search some more. Once information is found, a meta data analysis can be performed to determine document creation dates and find hidden hyperlinks.

For those who do find sensitive data about their company floating around on Google, the search giant does have an online form they can fill out to have a piece of content removed, Bowers said.