| Can Google be used to hack PeopleSoft? |
|
| Friday, 17 February 2006 | |
|
There was a presentation at Wednesday's RSA Conference about using Google to uncover passwords, Social Security Numbers, and other things that your organization probably wants to keep hidden. Silicon Valley Sluth had a nice write-up about it. I was wondering how much effort it would take to find some sensitive PeopleSoft information. So using the information gleaned from the article, I started searching. On my second search, I uncovered a spreadsheet with a username and password that would allow me to upload budget information to a major University's server. I didn't have the server name, but I wasn't too determined either. A few queries later I uncovered results of PeopleSoft queries that users had saved. I found a document that contained employee e-mail addresses and another that contained employee ID's. Besides the obvious privacy and security considerations, the exercise reminded me that universities and state governments put a lot of PeopleSoft collateral out on the Internet. For example, I found a great HRMS Query training exercise manual. I ran across a comprehensive set of GL test scripts. Maybe on my next assignment if I need an updated coding standards document, I'll just pull one off of the Core-CT web site instead of recreating it from scratch. I guess my conclusion is that Google can be a force for good or evil. People need to be aware that anything they place on the Internet can and will be found and used for any purpose. The price of a free Internet is eternal vigilance. Update 2/27/2006: There's an expert from Google Hacking for Penetration Testers on The Ethical Hacker Network entitled 10 simple security searches that work. It does a nice job of detailing penetration searches and describing why they work. |
|
| Last Updated ( Monday, 27 February 2006 ) |
| < Prev | Next > |
|---|