Tuesday, March 24, 2009

Is Google a liability?

Google today is what "Uncle Gino" is to ever mob family. He's that treasure-trove of information, some of it insider information, who will readily spill it to anyone smart enough to ask the right questions.

Think about it - Google indexes your sites and applications and uncovers things you may not have intentionally put there... things like error pages, configuration files, and other goodies that should be kept reasonably close to the vest. The problem is, once Google gets a hold of the information and indexes it - it's stored up in the cache and find-able for long, long periods of time... and it's virtually impossible to get rid of.

Finding nuggets of information a la Johnny's "Google Hacking DB" [GHDB] is almost simple now that there are formulas for some very, very informative searches.

For example, what if you wanted to look for SQL database dumps... simply enter this string into Google, and away you go --> "# Dumping data for table". Here's a great example of juicy data (http://pandoramon.sourceforge.net/sql/pandora_db.sql).

Looking to dig into someone's WSFTP configuration file, which should not be on a public web server? Try this "intitle:index.of ws_ftp.ini" ... which will lead you to this beautiful catch (http://www.radicalempiricism.org/courriel/ws_ftp/WS_FTP.ini) and yes, those are weakly-encoded passwords in there!

See, Google knows a lot about you and your sites and applications and all one has to do is ask to get that information from Google. Gaming the Googleplex isn't that difficult as has been proven over and over by black-had SEO techniques which snatch clicks and distribute malware. Optimizing pages for maximum Google-bility has almost become an arms race between the black-hat SEO ninjas and the Google geniuses; one side is always trying to out-flank the other and Google's brilliant brains haven't figured out a way to effectively win this battle.

So let's recap... Google has a lot of information about you, some you'd rather Google not share; add that to the fact that the search giant can be gamed while retrieving search results and you have an interesting paradox. Google is essential to the 'net because of the information that it gathers and puts at your fingertips (and your potential customers fingertips!); but on the other side of that coin is a very real chaos...

Ask yourself... is Google a liability?

No comments: