[ISN] 'Good guys' show just how easy it is to steal ID
InfoSec News
isn at c4i.org
Mon Mar 7 06:04:02 EST 2005
http://seattlepi.nwsource.com/local/214663_googlehack05.html
By PAUL SHUKOVSKY
SEATTLE POST-INTELLIGENCER REPORTER
March 5, 2005
Teams of hackers surfed the Web at Seattle University yesterday,
harvesting Social Security and credit card numbers like a farmer
cutting wheat. In less than an hour, they found millions of names,
birth dates and numbers -- cyberburglar tools for the crime of
identity theft -- using just one, familiar Internet search engine:
Google.
But these were the good guys -- members of a somewhat secretive
organization of computer security pros, forensic cybercops,
prosecutors and federal agents called Agora.
The group decided to lift the curtain of secrecy for a day to sound a
warning about the dangers of "Google hacking."
It turns out that the powerful search engine, in the hands of a
knowledgeable cybertrekker, can ferret out all kinds of sensitive
information never meant to be made public. All it takes are
sophisticated search terms. The terms go beyond specifying key words
to include file types. The right terms can even find information
deleted from corporate or government Web sites but temporarily cached
in Google's massive warehouse of data.
Kirk Bailey, the city of Seattle's chief information-security officer,
calls his Agora compatriots "the primary defenders of the virtual
world in the Northwest." Before launching eight teams of hackers from
companies such as Intel Corp. and computer-security consultants
IOActive, Bailey declared that "our mission is to find answers on how
to fix these problems."
The hacking team members sat crunched together at round tables, each
one hunched intently over a laptop. Bailey gave them the go-ahead, and
fingers started flying across keyboards.
"A little music to hack by," said IOActive consultant Frank Heidt, but
he then turned off the audio and got down to business.
"We're simulating an ID-theft ring," mumbled Heidt, who was focused on
his screen as he entered a search term that, to the uninitiated,
looked like nothing more than a jumble of meaningless letters.
Moments later, Heidt bellowed out "Yes" as military credit card
numbers filled his screen. In the next chair, Akshay Aggarwal, also
with IOActive, was grinning. "A million Social Security numbers of
immigrants. Tax records. Addresses. What do you want?"
Around the room, hackers were compromising people's identities. They
wouldn't even let the dead rest in peace.
The Intel team found a Web site listing the names, birth dates, Social
Security numbers, race and religion of 602 helicopter pilots who died
in Vietnam.
Another Intel team member came up with a Brazilian Web site that
contained the names, credit card numbers, birth dates and home phone
numbers of 388 Americans who appeared to have ordered pornographic
movies online.
Bailey called the meeting to order to announce results of the contest.
An ad-hoc group of lawyers and computer-security specialists won with
190 million points by digging up death certificates with Social
Security numbers. But more ominously, by searching for personnel with
secret clearances, the team found, in a U.S. Navy site, personal
information on an expert in virology investigations and on a responder
to nuclear emergencies.
Two teams found information about people on terrorist watch lists. The
IOActive team was the runner-up with almost 13 million points.
IOActive Chief Executive Officer Joshua Pennell pointed out that the
problem is not with Google, but with corporate cultures with the
attitude, "Nobody is going to find me, nobody cares what's on my
computer." These companies allow Google to enter into the public
portion of their networks, sometimes called the DMZ, and index all the
information contained there. Toby Kohlenberg, an information-security
specialist with Intel, asserted that "Google doesn't need to be fixed.
Companies need to understand that they are leaving themselves exposed"
by posting sensitive information in public places. "If they're
performing proper security, then their intranet shouldn't be
vulnerable to a Google search engine."
More information about the ISN
mailing list