Similar, and interesting in the context of LulzSec releases, is @PastebinLeaks on Twitter. It scans Pastebin for a variety of things (mail address lists, PGP keys, SQL dumps, and router configuration files have all popped up so far). They're not 100% - especially the mail/password dump detection - but it's definitely catching stuff.
That's balderdash. These kinds of tools raise awareness of the issue, hopefully making more people think twice about posting private data to a public place. If they continue to be unaware of the danger of doing so, then it is simply exploited silently and everyone wonders how it happened.
Your statement assumes that security through obscurity is a good thing.
At this point, you're both right - exposing these things to a massive audience just increases the number of potential attackers.
Someone ought to write a tool that follows this account, and e-mails people warning them that their e-mail has been compromised.
The hard part would be explaining what happened, how to verify it, and how to fix it to random strangers without convincing them that you're the one who just tried to steal their life savings.
www.hacknotifier.com does this (disclaimer: I started it) - but it requires the user to subscribe to our service. Unfortunately, cold emailing them (which we considered), would be considered spam.
Well, it is the best site to find almost anything, so why not passwords? :)
Honestly though, google shouldn't even have to worry about these things, their mission is to organize data on the web. If it is there, it should be searchable.
Private browsing won't stop google from logging anything. It will make it so your browser doesn't remember what you did, but it doesn't stop the authorities from knocking.
Your browsing history will show your passwords that you searched for to people who use your computer. Also, next time you google search when logged on your password might also show as a suggestion.
Otherwise a password-not-yet-leaked will no longer be. If you didn't turn on private browsing as I suggested and are using Safari, type the password you searched for in your URL bar now and you will see why I said what I said.
Maybe someone was like me and they didn't think to not search for their password which ended up on their browser history. The title had password leaks in it and that's the first thing I thought of when I got there: "Hey my MtGox password got leaked lets google it."
For that matter, I have a unique password (with the necessary special characters) for each account that associates with my identity (Not naming any examples here), but only several unique passwords for websites I don't intend to use much e.g. to read newspapers, and apparently, MtGox.
(Yes, I was searching for my MtGox. password because it was the same password I used for random throwaway sites. No I never used it, I don't even remember having confirmed my account there. My asset in bitcoins amount to < $2 USD.)
I still don't understand why all the downvotes. It would've helped me if someone reminded me not to actually google my password with my browser watching. Apparently not anyone else.
This keeps reminding me of that Daily WTF article where a sysadmin sends a warning about phishing spam with an example of one and gets hundreds of UN/PW pairs back... I think email should be taught is school.
Though it's been 2500 years since Sun Tzu wrote "The Art of War", many of his lessons remain relevant. His teaching contains several passages that seem especially suitable for people who work in Information Security:
* "Those who disable foreign armies without combat are the best teachers of the Art of War."
* "Before you fight, first learn the skills of the enemy's workers, and then fight them according to their weaknesses."
* "When you can perceive subtlety, winning is easy."
Without a doubt, this information is key in preparing for attempted security breaches. Without it, determining what to attack and how to do it is impossible. Search engines have become important tools for collecting data and other intelligence. However, despite Google hacking's many years of use, its techniques have perhaps not always been well-treated or publically shared.
How does this actually happen though? Is this simply a case of people leaving the standard "apache index page" turned on or do this many people actually publish links to their SQL files someone crawlable?
Usually a combination of the Apache index pages, dumb server setups, and being people being lazy, careless and/or forgetful when they dump a database to disk.
Also, sometimes an index.html file is accidentally removed, causing (brain-dead installs) to suddenly reveal the contents of a directory, eg. http://shahinfosoft.com/
Crawling pastebin is trivial - there was an HN story on it awhile ago, and I wrote my own from scratch as an exercise. Perhaps we should suggest this to the guy behind https://shouldichangemypassword.com/
...why do you feel bad about HN just for exposing terrible security practice? Hopefully startups get shocked enough by it to tighten up their privacy policies.
It's not necessarily a matter of them being cheap, good developers are hard to find, and the only people who can tell the difference are/were good developers themselves.
This is doubly true with security. There is no cosmetic or usability difference between a secure application and a nightmare that leads to thousands of leaked passwords. So companies that don't already have a good group of developers are screwed when hiring, and companies that don't consider their existing team's decision as the most important factor when hiring are asking for trouble.
You think Fortune 500 companies don't hire complete idiots too? They just have 5 extra people for every 1 developer to double check whether or not the developer did something stupid, test the site for obvious vulns, etc.
This could happen to any developer. All it takes is a dumb installation package to screw up your permissions, or something similarly trivial.
Also, it's not a matter of development, but security and system administration. They are often performed not only by different people, but sometimes even by different sub-organizations in different physical locations. It's not a good excuse, but we shouldn't be so quick to judge developers author knowing what exactly happened.
43 comments
[ 2.8 ms ] story [ 83.8 ms ] threadhttp://twitter.com/#!/PastebinLeaks
Your statement assumes that security through obscurity is a good thing.
Someone ought to write a tool that follows this account, and e-mails people warning them that their e-mail has been compromised.
The hard part would be explaining what happened, how to verify it, and how to fix it to random strangers without convincing them that you're the one who just tried to steal their life savings.
Honestly though, google shouldn't even have to worry about these things, their mission is to organize data on the web. If it is there, it should be searchable.
EDIT: I, however, do not agree that it is necessary, even more being a link posted on HN
Otherwise a password-not-yet-leaked will no longer be. If you didn't turn on private browsing as I suggested and are using Safari, type the password you searched for in your URL bar now and you will see why I said what I said.
And for that matter, why do you have so few that you can easily google for them instead of generating random ones per site?
(Fun fact, googling for your e-mail address reveals a hash of your password on MtGox.)
For that matter, I have a unique password (with the necessary special characters) for each account that associates with my identity (Not naming any examples here), but only several unique passwords for websites I don't intend to use much e.g. to read newspapers, and apparently, MtGox.
(Yes, I was searching for my MtGox. password because it was the same password I used for random throwaway sites. No I never used it, I don't even remember having confirmed my account there. My asset in bitcoins amount to < $2 USD.)
I still don't understand why all the downvotes. It would've helped me if someone reminded me not to actually google my password with my browser watching. Apparently not anyone else.
There is also a pretty good book from a spanish Microsoft MVP (yeah it sounds bad but still its an important award, :\)
http://www.informatica64.com/libros.aspx?id=hackingBuscadore...
It's a shame they decided not to translate it, anyone is up to it here? It contains everything that you'd ever wonder and much more.
Title: Search Engine Hacking with Google, Bing & Shodan Author: Enrique Rando
Pages: 272
Price: 20 Euros + Shipping (includes IVA)
Though it's been 2500 years since Sun Tzu wrote "The Art of War", many of his lessons remain relevant. His teaching contains several passages that seem especially suitable for people who work in Information Security:
* "Those who disable foreign armies without combat are the best teachers of the Art of War."
* "Before you fight, first learn the skills of the enemy's workers, and then fight them according to their weaknesses."
* "When you can perceive subtlety, winning is easy."
Without a doubt, this information is key in preparing for attempted security breaches. Without it, determining what to attack and how to do it is impossible. Search engines have become important tools for collecting data and other intelligence. However, despite Google hacking's many years of use, its techniques have perhaps not always been well-treated or publically shared.
Also, sometimes an index.html file is accidentally removed, causing (brain-dead installs) to suddenly reveal the contents of a directory, eg. http://shahinfosoft.com/
see the on at http://news.ycombinator.com/item?id=2704359
edit: definitely downmod to make an example.
http://www.google.com/search?hl=en&tbo=1&biw=1315...
(SFW-ish; no images, just links to really sleazy websites)
This is doubly true with security. There is no cosmetic or usability difference between a secure application and a nightmare that leads to thousands of leaked passwords. So companies that don't already have a good group of developers are screwed when hiring, and companies that don't consider their existing team's decision as the most important factor when hiring are asking for trouble.
Also, it's not a matter of development, but security and system administration. They are often performed not only by different people, but sometimes even by different sub-organizations in different physical locations. It's not a good excuse, but we shouldn't be so quick to judge developers author knowing what exactly happened.
As someone else mentioned, Johnny posted articles on this years ago. But, he merely popularized it, Google hacking was around long before him.
See also: filetype:mdb, filetype:xls, "ssn" and so on.
For music, try: metallica filetype:mp3 For books, try: oreilly filetype:epub (or whatever)