Home » Data Protection » Network Security

5 Ways Google Is Shaking the Security World

Whether you're charged with preventing hacks, protecting assets, stopping fraud or defending trademarks, Google and other search engines present a new mix of risks for everybody in the security game.

By Sarah D. Scalet

Page 3

2. Google Hacking (loosely defined)

What it is: Using search engines to find intellectual property. It's Google intel: The researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization's strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal (and may in fact be good business).

How it works: The researcher scours the Web for information that might include research presented at academic conferences, comments made in chat rooms, résumés or job openings. "Companies leave bread crumb trails all over the place on the Web," says Leonard Fuld, founder of Fuld & Co. and author of the forthcoming book The Secret Language of Competitive Intelligence. One common tactic is using search queries that reveal only specific file types, such as Microsoft Excel spreadsheets (filetype:xls), Microsoft Word documents (filetype:doc) or Adobe PDFs (filetype:pdf). This kind of search filters out a lot of noise. Say you want information about General Motors. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" one day in February yielded 56,400 results. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" FILETYPE:XLS brought up only 34 documents. One of those documents was a spreadsheet from a recruiting agency that contains the current jobs and work history (though not the names) of executives at numerous companies (including GM) who may be on the job market.

Another common approach is searching for phrases that may indicate information that wasn't intended to be public. For this, keywords such as "personal", "confidential" or "not for distribution" are invaluable. These targeted searches don't always hit pay dirt, but they can be fascinating. For instance, on that same day in February, the top hit on a search for "GENERAL MOTORS" "NOT FOR DISTRIBUTION" was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!)

A final tactic is to target the organization's site itself for information, such as phone lists, that could be useful for social engineering scams. Researchers might use the site search function and look for the phrase "phone list" or "contact list". (An actual search might be SITE:CSOONLINE.COM "PHONE LIST", and if you run that particular search, you'll find stories CSO has published about why your company's phone directory is better kept under wraps.)

Why it matters: "If it's on Google, it's all legal," says Ira Winkler, information security consultant and author of Spies Among Us. Competitive intelligence of this sort is illegal espionage only when it involves a trade secret—and if something is public enough to appear in Google, can you really argue that it was protected like a trade secret?