March 5th, 2003, 02:04 PM
Google: Net Hacker Tool
Google: Net Hacker Tool du Jour
"Google, properly leveraged, has more intrusion potential than any hacking tool," said hacker Adrian Lamo, who recently sounded the alarm.
The hacks are made possible by Web-enabled databases. Because database-management tools use canned templates to present data on the Web, typing specific phrases into Internet search tools often leads a user directly to those templated pages. For example, typing the phrase "Select a database to view" -- a common phrase in the FileMaker Pro database interface -- into Google recently yielded about 200 links, almost all of which lead to FileMaker databases accessible online.
In a few cases, the databases contained sensitive information. One held the addresses, phone numbers and detailed biographies of several hundred teachers affiliated with Apple Computer. It also included each teacher's user name and password. The database was not protected by any form of security.
Another search result pointed to a page served by the Drexel University College of Medicine, which linked to a database of 5,500 records of the medical college's neurosurgical patients. The patient record included addresses, telephone numbers and detailed write-ups of diseases and treatments. Once Google pointed the visitor to the page, the hacker merely needed to type in an identical user name and password (in short, the name of the database) in order to access the information.
Both databases were Web-enabled using the FileMaker Pro Web Companion, a component of the $299 FileMaker Pro application, which is primarily targeted at beginning users. According to FileMaker, the Web Companion promises to "convert a single-user database into a multi-user networked solution in one simple step.... Authorized users can search, edit, delete and update records using most popular Web browsers."
Apple did not return calls requesting comment, but the teacher database was apparently taken offline on Friday afternoon.
Drexel University immediately shut down its database upon being informed of the vulnerability. Spokeswoman Linda Roth said university officials had not been aware that it existed online, as it was not a sanctioned university site. Drexel's dean also sent a memo to all employees reiterating the university's policy against unapproved databases. The school is canvassing its network to ensure no other databases have been posted online, Roth said.
A FileMaker spokesman said the company tries its best to make users aware of security issues.
"We're critically aware of security and the need for it," said Kevin Mallon. "We publish white papers and software updates on our site, and we send updates to our registered users about the need for security."
But Mallon suggested that configuring access rights and selecting appropriate passwords are ultimately the user's responsibility. "We constantly emphasize with our users to be aware of the extent of the exposure they want -- or more importantly, the exposure they do not want -- for all databases published on the Web."
Regarding the vulnerable Drexel database, Fred Langston, senior principal consultant of Guardent, an information security services company, said part of the reason the incident occurred might have been because such institutions typically encourage openness with regard to knowledge sharing.
"We've done a lot of work at universities and teaching hospitals, and it's the hardest environment to impose security, because they tend to have an open information-sharing model," Langston said. "It makes it very difficult to impose restrictions on data: In a teaching environment, that's how people learn and extend their knowledge.
"Even if (the vulnerability) hadn't been exposed through Google, it would have been exposed eventually."
A Google spokesman said the company was aware of the situation, and that it provides tools that let webmasters remove inadvertently published information from Google's index within about 24 hours. Tools that allow for even speedier removal are in the works.
Removing links after the fact, though, isn't a very elegant solution, Lamo said.
"When your medical records are indexed in Google, something's wrong."
Oh how secure !
Google spokesman said the company was aware of the situation, and that it provides tools that let webmasters remove inadvertently published information from Google's index within about 24 hours. Tools that allow for even speedier removal are in the works.
March 5th, 2003, 02:12 PM
That's Officer 11001001 to you...
Now you see me | Now you don't
"Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
sometimes my computer goes down on me
March 5th, 2003, 02:20 PM
if you don't want people to look at your details don't put em up on the net... or any network for tha matter.
but being practical, if you need to have such data on the internet or a network SOME sort of protection should be in place [more then one type would be good too]
March 5th, 2003, 02:32 PM
Yeah I saw Drew's post yesterday.....
Its funny...some sites try so hard to be at the top of Googles search results, yet sites that were never intended to be displayed make it on the results list. Thats why Google beats out the "sold out" search engines like Alta Vista and others.
Make that 11001001's post....sorry
March 5th, 2003, 03:05 PM
Sorry 11001001 ,
I missed your thread yesterday. Its quite hard keeping track of the threads. I donít know about you guys but I donít have the time to read them all, especially the ones posted at different time zones.(when I've gone to sleep).It hard as there are so many categories to go through.
Do you guys read them all.Perhaps some of you students have more time....
* I could easily get lost in cosmos and general chit chat !
March 5th, 2003, 03:10 PM
One way to deal with the threads is to go to Discussion Forums and hit on "View New Posts". It should list the threads you haven't seen since your last visit. That's the only way I can see what posts are going on in all the forums.
Hope that helps.
March 5th, 2003, 03:32 PM
Thanks MsMittens for suggestion. The only problem is, sometimes I miss few day and it just piles up.The post and thread turnover on AO is quite high.I wonder , does anyone keep count of it.Moderator heh heh..
Anyway u cant be ahead of things all the time.
March 5th, 2003, 03:37 PM
Hehe.. I think it varies. You can always browse through the posts and get a general idea. In addition, before making a post, double check to see if it's been done before with the search feature (especially if you haven't been around for a few days).
I think that there are about 40-60 new posts a day (not including any responses, etc.).
No but even if you get a general idea of what is being talked about is helpful. I remember being an admin spending an hour each morning just going through AO and other security sites. I didn't read everything but I did get some ideas of what was going on. In addition, I'm subscribed on 4-5 of the bugtraq lists to see what new vulnerabilities and other things are being discussed. Do I read them all? No but I at least know what issues have appeared. I can look them up afterwards if I need to.
Anyway u cant be ahead of things all the time.
It's better than not knowing.