Personal info of 43,000 Yale students, staff and alumni was hacked using Google. Names and Social Security numbers were uncovered on an unprotected File Transfer Protocol (FTP) server.
USA Today reported that the hackers used a new-ish Google FTP search function to locate this unsecured server:
“With the addition of indexing data that is accessible via FTP, hackers can now identify wide-open FTP sites that may contain sensitive data or can be used to leapfrog to other machines on the company’s internal network,” said Tom Rabaut, RedSeal analyst, [a security firm]. “Also, Google offers the ability to restrict searches to a single domain which will make it easier for hackers to limit their data mining to only target companies.”
The Yale Alumni Magazine blog said that Social Security numbers were inadvertently made accessible to Google for 10 months.
The new function, which according to USA Today was created in September 2010, that is making hacking using Google searches possible: Google Hacking Database (GHDB). GHDB’s website says it reveals “Google dorks,” those “inept or foolish people as revealed by Google.”
Whatever you call these fools, you’ve found the center of the Google Hacking Universe! Stop by our forums to see where the magic happens!
The Who Are We section of GHDB website describes the hacking organization further, revealing that the database may have initially been created to do good:
We employ volunteer hackers (no questions asked) and engage their skills in short “microprojects” designed to help charities that can not afford traditional technical resources. Our industry experts vet all the work to guarantee a high-quality product, and volunteers are rewarded with glowing references from our industry-recognized subject matter experts. With each project, our volunteers move one step closer to that dream job, and a charity is brought one step closer to its technical goals. We’ve designed and built web sites, set up blogs, programmed custom web applications, conducted code reviews, performed security assessments and more, all through our volunteer’s efforts. In addition, thanks to one donor, we provide hosting, bandwidth and support for the final product free of charge.
GHDB provides these hackers with the tools they need to find “Google dorks,” which include vulnerable servers, sites containing usernames, passwords and more — all through Google.