• United States



Your humiliating secrets, now showing on Google

Jul 18, 20114 mins
Data and Information Security

It’s becoming stupidly easy for people to learn things about you through a simple Internet search.

If you had a drug test for a potential job or had a paternity test, a search engine can probably uncover it because those you do business with are doing a lousy job at protecting your privacy.

That, according to Paul Ducklin, Sophos’s Head of Technology, Asia Pacific.

In a post on Sophos’ Naked Security blog, Ducklin writes about the problem at length and includes screen shots to illustrate the things you can find.

He writes:

Think of all the organisations and companies you’ve trusted with your personally identifiable information recently. The list probably includes hotel chains, game networks, computer security companies, police departments, mobile phone companies, social networking services, on-line discounters, and more.

Of all the information you’ve entrusted to others, which would you consider the most embarrassing to see popping up on the Internet?

Which sort of data leakage would be most open to misinterpretation, confusion, disappointment, retribution, tears or anger by your boss, spouse, business partner, HR manager or parole officer?

Well, if you’ve done business with South Australian medical testing company Medvet Science Pty Ltd recently, I may have the answer for you!

In an astonishing security botch-up reported this weekend – ironically in The Australian, one of the publications of the security-beleagured Murdoch stable – Medvet allowed its customer accounts to be searched, found, indexed and cached by search engines.

A simple Google search, for example, would be enough to recover a wealth of customer names, billing addresses, and services purchased. And the services offered proudly by Medvet – at least until last weekend – include drug and DNA testing.

Had a paternity test? On yourself or on your children? Taken a drug test privately in advance of official workplace screening? Interested in explaining why to all and sundry?

This is yet another painful reality of the Internet age. Medvet is just one case.

A few years ago, security expert Tom Bowers gave a talk I covered in which he demonstrated all the things you can find simply by hanging out on Google long enough:

–Hackers can zero in on their prey using such tools as Google Earth, Google Patent Search and Google Blog Search, Bowers said back in 2007.

–The tools can help the bad guys unearth financial filings and security analyst reports that are potential goldmines of information.

–For example, he said, Google Earth can provide spies with satellite photos of competitors’ plants, and if a company includes too much information in one of its patents, Google Patent Search can be especially valuable.

The warnings about Google go back even further than 2007. Famed hacker Johnny Long made headlines years ago by explaining ways to turn Google into a malicious tool.

I mention the Bowers talk because his advice is as valuable today as it was four years ago:

He urged IT professionals to learn the very same techniques hackers use so they can intercept any sensitive data from their company that may end up on Google. “If something ends up on Google it becomes public information,” Bowers said at the time. “It’s your job to see if your intellectual property is on Google and to come up with the right defenses so it doesn’t happen.”

And, as individuals, it’s our challenge to keep an eye on Google to see what, if any, embarrassing details about our spending or work habits is escaping into the public domain.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a