Google exposes the Skulls and Bones in Yale’s closet

For an institution like Yale University, home of legendary secret society Skull and Bones, this must be especially painful: A data breach in which sensitive information sat exposed on the Internet for 10 months.

We’ve written a lot about the dangers Google can pose. This latest incident shows that some messages need to be repeated frequently.

So let’s look at what happened. I’ll give you italicized bits from the story Computerworld colleague and friend Jaikumar Vijayan broke yesterday, followed by some observations.

Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months. The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported. The online publication reported that Yale IT Services Director Len Peters said the FTP server holding the compromised information was used mainly for open-source materials. In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News.

I don’t think Yale needs to be demonized over this. It wouldn’t help the victims or change the outcome anyway. The sad fact is that this could have happened to any institution. This seems to have resulted from one of the nuttiest, most random actions imaginable.

Those of us in the online publishing business know all too well what can happen if Google makes the slightest of back-end changes. A couple years ago, for example, Google made an algorithm change that buried some of our content and led to a steep traffic drop off. That’s something you don’t see coming.

In this latest case, Google made a change that allowed it to index and find FTP servers. Talk about dumb luck.

The embarrassing thing for Yale is that its stuff sat out in the open for 10 months before someone noticed.

In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News. When Yale discovered the breach in June, it immediately took the server offline, deleted the sensitive data and evaluated whether there were any other files containing similar data on the FTP server, Peters said.

There’s still a lot we don’t know about this case, but one has to wonder why it took so long for Yale to catch this. On the surface, it seems the institution failed to heed an old piece of advice I’ve heard from security practitioners over and over again: Check Google every day for anything that may be related to your organization, because you just never know what might leak from your servers to the Internet.

It’s an old danger, one I touched on in another post last month:

A few years ago, security expert Tom Bowers gave a talk I covered in which he demonstrated all the things you can find simply by hanging out on Google long enough:

–Hackers can zero in on their prey using such tools as Google Earth, Google Patent Search and Google Blog Search, Bowers said back in 2007.

–The tools can help the bad guys unearth financial filings and security analyst reports that are potential goldmines of information.

–For example, he said, Google Earth can provide spies with satellite photos of competitors’ plants, and if a company includes too much information in one of its patents, Google Patent Search can be especially valuable.

The warnings about Google go back even further than 2007. Famed hacker Johnny Long made headlines years ago by explaining ways to turn Google into a malicious tool.

Bowers offered advice back then that institutions like Yale would do well to heed today:

He urged IT professionals to learn the very same techniques hackers use so they can intercept any sensitive data from their company that may end up on Google. “If something ends up on Google it becomes public information,” Bowers said at the time. “It’s your job to see if your intellectual property (or sensitive customer data) is on Google and to come up with the right defenses so it doesn’t happen.”

Yale has learned the lesson the hard way. Now it’s all about the clean-up and making sure this sort of thing doesn’t happen again.

I leave you with another older article from our archives that is as useful today as it was then — a piece my predecessor Sarah Scalet wrote in 2006 called “5 Ways Google Is Shaking the Security World.”

She outlines such risks as Google hacking, where people with enough time and skill can find an organization’s network holes by simply doing the right kinds of Google searches; click fraud and the Google Earth risk Bowers mentioned.

It’s too late for Yale to avoid the embarrassing fallout over this. But others have a chance to learn some important lessons and make the appropriate security adjustments.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a