Re: Google Hacking

["Greene, Allen" <Allen.Greene () ROCHESTER EDU>]

Great tip, wasn't aware that Pastebin had similar alerts.  Thanks!

Allen Greene | Security Analyst Senior
University of Rochester | University IT Security and Policy
Office:  (585) 275-7335 | Allen.Greene () Rochester edu<mailto:Allen.Greene () Rochester edu>

[longerLogo-300dpi_sm]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, November 19, 2014 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Google Hacking

One caveat is that as Google has gotten more into advanced and customized search algorithms, the results may no longer 
be comprehensive.  In particular, if you set up a Google alert under a Google account, it runs the search under the 
tailored context of that account and I (and others) have seen many misses of Google indexed content because the 
tailoring ignores those items.

If you want to do Google hacking, make sure it uses a context with no Google account or Google cookies.  Or, try to 
keep a clean Google account that is only ever used for the Google alerts (it can be tricky to totally avoid Google's 
user metadata vacuum).

I highly recommend setting up Pastebin alerts as well if you haven't looked into it.  It can give you quick 
notification of a dump of credentials that includes individuals from your school.

One Google hack to consider is a search like:

Site:school.edu Filetype:xls SSN  (or other words like "social security" "student ID", etc.)


Brad Judy

Director of UIS Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu>

[cu-logo_fl]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, 
Allen
Sent: Wednesday, November 19, 2014 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Google Hacking

Greetings All,

We're looking at expanding our information disclosure program into Google Hacking.  I'm wondering if someone else out 
there is currently utilizing this method or developed a program around unauthorized information disclosure?  I've done 
a good deal of research on this already, I'm curious how other institutions may have already implemented this and any 
feedback on their experience.

Thanks & Happy Holidays!
Allen

Allen Greene | Security Analyst Senior
University of Rochester | University IT Security and Policy
Office:  (585) 275-7335 | Allen.Greene () Rochester 
edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailto-3AAllen.Greene-40Rochester.edu&d=AAMFAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=T5oAQXjguSn0bH5SH7HpHqg3stiWKRNzMSNknfVPqtE&m=IHiIQNE7yNhqYLt-t4nZPSLFOOPr_0T7axUQeSRPPAs&s=E7cYRcFq_CeEvO4ta-0np7SjfKDQ6gSpdYlUMsyQMtY&e=>

[longerLogo-300dpi_sm]