Archives

April 2004 (7)
March 2004 (12)
February 2004 (12)
January 2004 (22)
December 2003 (19)
November 2003 (16)
October 2003 (26)
September 2003 (18)
August 2003 (38)
July 2003 (80)
June 2003 (13)
May 2003 (24)
April 2003 (76)
March 2003 (75)
February 2003 (51)
January 2003 (73)

Category

Family (5)
FYI (18)
Games (2)
Geek (88)
Geographic (3)
Hacks (13)
Home (15)
Humor (54)
Ideas (20)
Ideaspace (15)
Local (15)
Metadata (10)
Microsoft (2)
MovableType (5)
Nitwits (66)
PKI (2)
Politics (22)
Quotes (3)
RDF (15)
RSS (4)
Security (3)
Semantic Web (13)
Site Info (13)
Social Networks (1)
Spam (9)
Sysadmin (1)
Tips (2)
Tivo (2)
TMFTOTHD (1)
To Do (1)
Unlisted (1)
Web (3)
Windows (1)

Local

« MetroBlogs »
DC metroblogs
beltway bloggers

Links

Assorted bits

Blogroll Me!
GeoURL
Listed on BlogShares




April 23, 2004

Googling for sensitive info

A sysadmin should be responsible for assuring that sensitive info doesn't get published to the web. Here's list of googledorks with links to how such info is exposed to the public.

Take a look and see if your server is making any of these mistakes. Then think about why it's a bad thing...

An important point to consider is how these links can be used to hammer away at your user login passwords. Often times these web pages don't take sufficient care to guard against brute force password attacks. Here's the scenario, your users are setting up accounts for themselves on 3rd party websites. They're using the same username as the one they use at work. Then they're also using the same password as their work account. How is this bad? You might think that since your work sites are setup to monitor and report if any bad logins are attempted (they ARE, arent't they?) that you'd be safe. WRONG.

Here's why, should someone guess Joe's account username they could then hammer away at these outside sites trying to break his password. Then all they'd need to do is come back to the work site and trying using the discovered password. There'd be nothing you could detect, other than their source IP, that would prevent it. Thus you really need to stress to your users that using the same password across many different systems is a REALLY BAD THING. If anything, given user laziness, you should stress that they NOT use their work username and password on ANY other systems.

The next step, if you're running such site, might be to consider providing some sort of notiifcation to your users if their account login is being unduly accessed. Just send their e-mail address a short message that says something like "Your account has been repeated accessed from IP address: x.x.x.x using the wrong password." Granted, this might run the risk of having them ask you what the hell to do about it. Yes, you might be risking actual contact from your users seeking assistance. Consider this as an oppportunity to let them know you're looking out for them; they'll be stunned to encounter a sysadmin that actually cares.

Geek
Perma  | TrackBack (0) | 10:30 AM  | xml

Navigation

Recent Entries

America and Europe: Vive la différence?
Server changes afoot
Diet behavior mod
Googling for sensitive info
Outlook 2003 and IMAP, a marriage made in Hell
Bike to Work Day, May 7th
Speakeasy rocks
Zippo USB?
When geographic data is nowhere 'near' correct
Local campaign contributions

User comments
Trackbacks

Contact

send me an e-mail E-mail
chat with me using MS messenger MSN Messenger
chat with me via AIM America Online
chat with me on ICQ ICQ
chat with me on Yahoo! Yahoo
Add my vCard to your electronic addressbook vCard
Friend of a Friend FoaF

Syndication

XML  RDF  CDF

Comments

XFML

Extra Stuff

foaf
vCard
pgp info
Linked In
Powered by
Movable Type 2.64