There was a presentation at Wednesday's RSA Conference about using Google to uncover passwords, Social Security Numbers, and other things that your organization probably wants to keep hidden. Silicon Valley Sluth had a nice write-up about it.
I was wondering how much effort it would take to find some sensitive PeopleSoft information. So using the information gleaned from the article, I started searching.
On my second search, I uncovered a spreadsheet with a username and password that would allow me to upload budget information to a major University's server. I didn't have the server name, but I wasn't too determined either.
A few queries later I uncovered results of PeopleSoft queries that users had saved. I found a document that contained employee e-mail addresses and another that contained employee ID's.
Besides the obvious privacy and security considerations, the exercise reminded me that universities and state governments put a lot of PeopleSoft collateral out on the Internet.
For example, I found a great HRMS Query training exercise manual. I ran across a comprehensive set of GL test scripts. Maybe on my next assignment if I need an updated coding standards document, I'll just pull one off of the Core-CT web site instead of recreating it from scratch.
I guess my conclusion is that Google can be a force for good or evil. People need to be aware that anything they place on the Internet can and will be found and used for any purpose. The price of a free Internet is eternal vigilance.
Update 2/27/2006: There's an expert from Google Hacking for Penetration Testers on The Ethical Hacker Network entitled 10 simple security searches that work. It does a nice job of detailing penetration searches and describing why they work.
I was wondering how much effort it would take to find some sensitive PeopleSoft information. So using the information gleaned from the article, I started searching.
On my second search, I uncovered a spreadsheet with a username and password that would allow me to upload budget information to a major University's server. I didn't have the server name, but I wasn't too determined either.
A few queries later I uncovered results of PeopleSoft queries that users had saved. I found a document that contained employee e-mail addresses and another that contained employee ID's.
Besides the obvious privacy and security considerations, the exercise reminded me that universities and state governments put a lot of PeopleSoft collateral out on the Internet.
For example, I found a great HRMS Query training exercise manual. I ran across a comprehensive set of GL test scripts. Maybe on my next assignment if I need an updated coding standards document, I'll just pull one off of the Core-CT web site instead of recreating it from scratch.
I guess my conclusion is that Google can be a force for good or evil. People need to be aware that anything they place on the Internet can and will be found and used for any purpose. The price of a free Internet is eternal vigilance.
Update 2/27/2006: There's an expert from Google Hacking for Penetration Testers on The Ethical Hacker Network entitled 10 simple security searches that work. It does a nice job of detailing penetration searches and describing why they work.
TrackBack URI for this entry
Subscribe to this comment's feed
