RE: Google lists vulnerable sites.

["Bryan Allerdice" <bryan () professionalhacker com>]

I don't have an answer to the responsiveness question, but I do have a piece
of advice that unfortunately is like shutting the gate after the horse has
bolted, but by putting this tag in a page, you tell Google not to cache...

<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">

Back to business though, think about other places where cached content can
be found, like archive.org. You can't go asking archive.org for all sites
containing x and y and z, but it's still a useful tool. I use archive.org as
part of my "background investigation stage" when I do security analysis
jobs. Sometimes you find that in the early days of a company, they put stuff
on their site that they wish they never did because they weren't aware of
the dangers at the time.

For instance, I was doing a job for a financial services company once, and
they'd published their banking details on their site for a few weeks a year
prior. Other similar companies were getting ripped off because they too were
publishing the same kind of info, so they thought they'd be smart and clean
their site up before the crims got around to them. A year later and they
still hadn't been hit like the others, so they assumed they were safe. When
I found the info and asked them if it was still valid, they were rather
shocked. Incidentally the details were still valid.

Even if the archive.org doesn't turn up extreme examples like in my example,
you still get value out of familiarizing yourself with the site as it grows.
Perhaps you are trying to talk your way past someone in the company, social
engineering job. The more background you know, the more little things you
can throw into a conversation, the easier it is to appear like you belong.

I wonder if we could come up with as complete a list as possible of places
someone would have to go to remove sensitive info?

- google.com
- archive.org
- add some more...

BRYAN ALLERDICE

-----Original Message-----
From: De Velopment [mailto:devel () www2 kparker org]
Sent: Saturday, July 06, 2002 5:25 PM
To: vuln-dev () securityfocus com
Subject: Re: Google lists vulnerable sites.


Hello,

   I've been following this discussion about Google with interest.

   OK.  So a company is caught with their "pants down" and their "Crown
Jewels" are stored away in the Google Cache.  They clean up their site
and secure it.

   How responsive is Google, at that point, to removing their Cache
and links to your company's sensitive pages?

    Best regards,

        Ken Parker (kparker () www2 kparker org)