Table 9.3 English Translations of the Word Password Language Word Translation German password Kennwort Spanish password contraseña French password mot de passe Italian password parola d’accesso Portuguese password senha Dutch password Paswoord Searching for Credit Card Numbers, Social Security Numbers, and More Most people have heard news stories about Web hackers making off with customer credit card information. With so many fly-by night retailers popping up on the Internet, it’s no wonder that credit card fraud is so prolific.These mom-and-pop retailers are not the only ones success- fully compromised by hackers. Corporate giants by the hundreds have had financial database compromises over the years, victims of sometimes very technical, highly focused attackers. What might surprise you is that it doesn’t take a rocket scientist to uncover live credit card numbers on the Internet, thanks to search engines like Google. Everything from credit infor- mation to banking data or supersensitive classified government documents can be found on the Web. Consider the (highly edited) Web page shown in Figure 9.9. Figure 9.9 Google Stores Piles and Piles of Previously Pilfered Personal Data Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 361 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 361 This document, found using Google, lists hundreds and hundreds of credit card numbers (including expiration date and card validation numbers) as well as the owners’ names, addresses, and phone numbers.This particular document also included phone card (calling card) numbers. Notice the scroll bar on the right-hand side of Figure 9.9, an indicator that the displayed page is only a small part of this huge document—like many other documents of its kind. In most cases, pages that contain these numbers are not “leaked” from online retailers or e-commerce sites but rather are most likely the fruits of a scam known as phishing, in which users are solicited via telephone or e-mail for personal information. Several Web sites, including MillerSmiles.co.uk, document these scams and hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that encourages users to update their eBay profile information. Figure 9.10 Screenshot of an eBay Phishing Scam Once a user fills out this form, all the information is sent via e-mail to the attacker, who can use it for just about anything. Sometimes this data is stored on a web server used by the attacker. In some cases I’ve seen online ”phishing investigators” post reports which link to the phisher’s cache of pilfered personal data. When a search engine crawls those links, all that personal data is suddenly available to even the most amateur Google hacker. 362 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 362 Tools and Traps… Catching Online Scammers In some cases, you might be able to use Google to help nab the bad guys. Phishing scams are effective because the fake page looks like an official page. To create an offi- cial-looking page, the bad guys must have examples to work from, meaning that they must have visited a few legitimate companies’ Web sites. If the fishing scam was cre- ated using text from several companies’ existing pages, you can key in on specific phrases from the fake page, creating Google queries designed to round up the servers that hosted some of the original content. Once you’ve located the servers that con- tained the pilfered text, you can work with the companies involved to extract corre- lating connection data from their log files. If the scammer visited each company’s Web page, collecting bits of realistic text, his IP should appear in each of the log files. Auditors at SensePost (www.sensepost.com) have successfully used this technique to nab online scam artists. Unfortunately, if the scammer uses an exact copy of a page from only one company, this task becomes much more difficult to accomplish. Social Security Numbers Attackers can use similar techniques to home in on Social Security numbers (SSNs) and other sensitive data. For a variety of reasons, SSNs might appear online—for example, educa- tional facilities are notorious for using an SSN as a student ID, then posting grades to a public Web site with the “student ID” displayed next to the grade. A creative attacker can do quite a bit with just an SSN, but in many cases it helps to also have a name associated with that SSN. Again, educational facilities have been found exposing this information via Excel spreadsheets listing student’s names, grades, and SSNs, despite the fact that the student ID number is often used to help protect the privacy of the student! Although I’ve never revealed how to locate SSN’s, several media outlets have done just that—irresponsibly posting the search details online. Although the blame lies with the sites that are leaking this information, in my opinion it’s still not right to draw attention to how exactly the informa- tion can be located. Personal Financial Data In some cases, phishing scams are responsible for publicizing personal information; in other cases, hackers attacking online retails are to blame for this breach of privacy. Sadly, there are many instances where an individual is personally responsible for his own lack of privacy. Such Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 363 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 363 is the case with personal financial information. With the explosion of personal computers in today’s society, users have literally hundreds of personal finance programs to choose from. Many of these programs create data files with specific file extensions that can be searched with Google. It’s hard to imagine why anyone would post personal financial information to a public Web site (which subsequently gets crawled by Google), but it must happen quite a bit, judging by the number of hits for program files generated by Quicken and Microsoft Money, for example. Although it would be somewhat irresponsible to provide queries here that would unearth personal financial data, it’s important to understand the types of data that could potentially be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various financial, accounting, and tax return programs. Table 9.4 File Extensions for Various Financial Programs File Extension Description afm Abassis Finance Manager ab4 Accounting and Business File mmw AceMoney File Iqd AmeriCalc Mutual Fund Tax Report et2 Electronic Tax Return Security File (Australia) tax Intuit TurboTax Tax Return t98-t04 Kiplinger Tax Cut File (extension based on two-digit return year) mny Microsoft Money 2004 Money Data Files mbf Microsoft Money Backup Files inv MSN Money Investor File ptdb Peachtree Accounting Database qbb QuickBooks Backup Files reveal financial data qdf Quicken personal finance data soa Sage MAS 90 accounting software sdb Simply Accounting stx Simply Tax Form tmd Time and Expense Tracking tls Timeless Time & Expense fec U.S. Federal Campaign Expense Submission wow Wings Accounting File 364 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 364 Searching for Other Juicy Info As we’ve seen, Google can be used to locate all sorts of sensitive information. In this section we take a look at some of the data that Google can find that’s harder to categorize. From address books to chat log files and network vulnerability reports, there’s no shortage of sensi- tive data online.Table 9.5 shows some queries that can be used to uncover various types of sensitive data. Table 9.5 Queries That Locate Various Sensitive Information Query Description intext:”Session Start * * * *:*:* *” AIM and IRC log files filetype:log filetype:blt blt +intext:screenname AIM buddy lists buddylist.blt AIM buddy lists intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config file, shows IRC servers and user creden- tials inurl:cgiirc.config CGIIRC (Web-based IRC client) config file, shows IRC servers and user creden- tials “Index of” / “chat/logs” Chat logs intitle:”Index Of” cookies.txt “size” cookies.txt file reveals user information “phone * * *” “address *” “e-mail” Curriculum vitae (resumes) reveal names intitle:”curriculum vitae” and address information ext:ini intext:env.ini Generic environment data intitle:index.of inbox Generic mailbox files “Running in Child mode” Gnutella client data and statistics “:8080” “:3128” “:80” filetype:txt HTTP Proxy lists intitle:”Index of” dbconvert.exe chats ICQ chat logs “sets mode: +p” IRC private channel information “sets mode: +s” IRC secret channel information “Host Vulnerability Summary Report” ISS vulnerability scanner reports, reveal potential vulnerabilities on hosts and networks “Network Vulnerability Assessment ISS vulnerability scanner reports, reveal Report” potential vulnerabilities on hosts and networks Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 365 Continued 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 365 Table 9.5 continued Queries That Locate Various Sensitive Information Query Description filetype:pot inurl:john.pot John the Ripper password cracker results intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic maillog size information ext:mdb inurl:*.mdb inurl:fpdb Microsoft FrontPage database folders shop.mdb filetype:xls inurl:contact Microsoft Excel sheets containing con- tact information. intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of htaccess shows Web authentication info ext:log “Software: Microsoft Internet Microsoft Internet Information Services Information Services *.*” (IIS) log files filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar backup files intitle:index.of mt-db-pass.cgi Movable Type default file filetype:ctt ctt messenger MSN Messenger contact lists “This file was generated by Nessus” Nessus vulnerability scanner reports, reveal potential vulnerabilities on hosts and networks inurl:”newsletter/admin/” Newsletter administration information inurl:”newsletter/admin/” intitle: Newsletter administration information ”newsletter admin” filetype:eml eml intext:”Subject” +From Outlook Express e-mail files intitle:index.of inbox dbx Outlook Express Mailbox files intitle:index.of inbox dbx Outlook Express Mailbox files filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files inurl:/public/?Cmd=contents Outlook Web Access public folders or appointments filetype:pdb pdb backup (Pilot | Palm Pilot Hotsync database files Pluckerdb) “This is a Shareaza Node” Shareaza client data and statistics inurl:/_layouts/settings Sharepoint configuration information inurl:ssl.conf filetype:conf SSL configuration files, reveal various configuration information site:edu admin grades Student grades intitle:index.of mystuff.xml Trillian user Web links 366 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! Continued 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 366 Table 9.5 continued Queries That Locate Various Sensitive Information Query Description inurl:forward filetype:forward –cvs UNIX mail forward files reveal e-mail addresses intitle:index.of dead.letter UNIX unfinished e-mails filetype:conf inurl:unrealircd.conf UnrealIRCd config file reveals -cvs -gentoo configuration information filetype:bkf bkf Windows XP/2000 backup files Some of this information is fairly benign—for example, MSN Messenger contact list files that can be found with a query like filetype:ctt messenger, or AOL Instant Messenger (AIM) buddy lists that can be located with a query such as filetype:blt blt +intext:screenname, as shown in Figure 9.11. Figure 9.11 AIM Buddy Lists Reveal Personal Relationships This screen shows a list of “buddies,” or acquaintances an individual has entered into his or her AIM client. An attacker often uses personal information like this in a social-engi- neering attack, attempting to convince the target that they are a friend or an acquaintance. This practice is akin to pilfering a Rolodex or address book from a target. For a seasoned attacker, information like this can lead to a successful compromise. However, in some cases, Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 367 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 367 data found with a Google query reveals sensitive security-related information that even the most novice attacker could use to compromise a system. For example, consider the output of the Nessus security scanner available from www.nessus.org.This excellent open-source tool conducts a series of security tests against a target, reporting on any potential vulnerability.The report generated by Nessus can then be used as a guide to help system administrators lock down any affected systems. An attacker could also use a report like this to uncover a target’s potential vulnerabilities. Using a Google query such as “This file was generated by Nessus”, an attacker could locate reports generated by the Nessus tool, as shown in Figure 9.12.This report lists the IP address of each tested machine as well as the ports opened and any vulnerabilities that were detected. Figure 9.12 Nessus Vulnerability Reports Found Online In most cases, reports found in this manner are samples, or test reports, but in a few cases, the reports are live and the tested systems are, in fact, exploitable as listed. One can only hope that the reported systems are honeypots—machines created for the sole purpose of luring and tracing the activities of hackers. In the next chapter, we’ll talk more about “document-grinding” techniques, which are also useful for digging up this type of informa- tion.This chapter focused on locating the information based on the name of the file, whereas the next chapter focuses on the actual content of a document rather than the name. 368 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 368 Summary Make no mistake—there’s sensitive data on the Web, and Google can find it.There’s hardly any limit to the scope of information that can be located, if only you can figure out the right query. From usernames to passwords, credit card and Social Security numbers, and per- sonal financial information, it’s all out there.As a purveyor of the “dark arts,” you can relish in the stupidity of others, but as a professional tasked with securing a customer’s site from this dangerous form of information leakage, you could be overwhelmed by the sheer scale of your defensive duties. As droll as it might sound, a solid, enforced security policy is a great way to keep sensi- tive data from leaking to the Web. If users understand the risks associated with information leakage and understand the penalties that come with violating policy, they will be more willing to cooperate in what should be a security partnership. In the meantime, it certainly doesn’t hurt to understand the tactics an adversary might employ in attacking a Web server. One thing that should become clear as you read this book is that any attacker has an overwhelming number of files to go after. One way to prevent dangerous Web information leakage is by denying requests for unknown file types. Whether your Web server normally serves up CFM, ASP, PHP, or HTML, it’s infinitely easier to manage what should be served by the Web server instead of focusing on what should not be served. Adjust your servers or your border protection devices to allow only specific content or file types. Solutions Fast Track Searching for Usernames  Usernames can be found in a variety of locations.  In some cases, digging through documents or e-mail directories might be required.  A simple query such as “your username is” can be very effective in locating usernames. Searching for Passwords  Passwords can also be found in a variety locations.  A query such as “Your password” forgot can locate pages that provide a forgotten- password recovery mechanism.  intext:(password | passcode | pass) intext:(username | userid | user) is another generic search for locating password information. Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 369 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 369 Searching for Credit Cards Numbers, Social Security Numbers, and More  Documents containing credit card and Social Security number information do exist and are relatively prolific.  Some irresponsible news outlets have revealed functional queries that locate this information.  There are relatively few examples of personal financial data online, but there is a great deal of variety.  In most cases, specific file extensions can be searched for. Searching for Other Juicy Info  From address books and chat log files to network vulnerability reports, there’s no shortage of sensitive data online. Q: I’m concerned about phishing schemes. Are there resources to help me understand the risks and learn some safeguards? A: There’s an excellent Web site dedicated to the topic of phishing at www.antiphishing.org.You can also read a great white paper by Next Generation Security Software Ltd., The Phishing Guide: Understanding and Preventing Phishing Attacks, available from www.ngssoftware.com/papers/NISR-WP-Phishing.pdf. Q: Why don’t you give more details about locating information such as credit card numbers and Social Security numbers? A: To be honest, neither the authors nor the publisher is willing to take personal responsi- bility for encouraging potential illegal activity. Most individuals interested in this kind of information will use it for illegal purposes. If you are interested in scanning for your own personal information online, simply enter your information into Google. If you get some hits, you should be worried. Of course entering all of your personal information 370 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the “Ask the Author” form. 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 370 . My! Continued 452 _Google_ 2e_09.qxd 10/5/07 1:08 PM Page 366 Table 9.5 continued Queries That Locate Various Sensitive Information Query Description inurl:forward filetype:forward –cvs UNIX mail forward. forward files reveal e-mail addresses intitle:index.of dead.letter UNIX unfinished e-mails filetype:conf inurl:unrealircd.conf UnrealIRCd config file reveals -cvs -gentoo configuration information filetype:bkf. responsi- bility for encouraging potential illegal activity. Most individuals interested in this kind of information will use it for illegal purposes. If you are interested in scanning for your own