You would be surprised at the type of information an attacker can find on Google. Many times, a company will spend thousands of dollars on cybersecurity only to be undone by a bit of info that can be found with a simple Google search. Because open source intelligence gathering is 1 of the first steps in many SecureState assessments (not to mention the first step for most hackers), our research analysts have found the most unbelievable information hiding in plain sight. Here are 3 of the craziest things we found during our assessments as well as some tips to avoid the same mistakes yourself.
Of course. The 1 thing that provides access to your network is the 1 thing you don’t want leaked online. Hackers spend most of their time trying to crack hashed passwords, find hardcoded passwords on a machine, or use social engineering to trick a user into giving up their credentials. Can you imagine how they would feel if they just stumbled on a username and password? It sounds impossible, but it is actually a relatively common occurrence.
During an assessment for a large manufacturing company, SecureState began with a simple Google search to see what information we could gain about their network and users. 1 of the search results was a public forum post by a user looking for help troubleshooting an error message. As part of the question, this user provided their username and password for the target’s vendor portal. Not only was the information publicly available online, the credentials were still active, and SecureState was able to compromise their network without even phishing or exploiting any service. Figure 1: Recreated forum post with credentials
Leaving active credentials on publicly available sites is like installing a security system only to leave the front door wide open all night—bad for the organization and good for an attacker. To help protect against such glaring vulnerabilities it is important to regularly check your external presence and search results. While most users don’t look beyond page 3 of their search results, dedicated attackers can find useful information on page 20 or even 200. Look at the longer list or search results and don’t forget to check other search engines as well, such as Bing or Exalead. Finally, conduct security awareness training to help prevent users from sharing sensitive information online in the first place.
Developers work with GitHub all the time to share work and collaborate with other coders. But while GitHub is a useful resource, 1 simple oversight when uploading code can inadvertently expose sensitive information. It’s also easy to forget that search engines like Google scrape GitHub, so even if information seems arcane, an attacker can find and review code for vulnerabilities or bugs that may be useful in an attack.
During 1 assessment, SecureState began their reconnaissance by searching GitHub. Several developers were identified, and some posted the source code for internal applications. 1 application in particular actually appeared to be visible externally. To make matters worse, the developer had previously made a public commit that included the host, username, and password for the underlying MySQL database. Although this commit was later deleted, SecureState was able to view the history and grab these valid credentials without ever interacting with the target. Again, no additional attack techniques were required to get a foothold on the internal network.
Figure 2: Recreation of connection strings from Github’s commit history
Because GitHub is indexed by Google, it is important to think about what you are posting before you commit anything on the site. Code can contain access tokens, internal domains or services, credentials, or information about vulnerable software that can allow an attacker to exploit weaknesses. To prevent such exposures, developers can change the settings to ignore certain files, tokens, or directories before committing to GitHub. From a strategic point of view, your organization can also institute policies and procedures for the site to ensure sensitive information isn’t shared unintentionally.
Here’s another thing hackers know: the internet never forgets. Old sites, sites with sensitive information that you think you have deleted, may still exist online, and could be found by attackers. Google not only indexes sites but also caches previous versions. Other sites such as Archive.org constantly scrape and monitor popular pages for changes and store them for anyone to pull up. As a result, info you thought you had eliminated may rise from the grave to haunt you.
During external penetration test, SecureState discovered an internal SharePoint document that had been indexed by Google and consequently scraped by a spam blog. As a result, a quick search on the company turned up employee identification and login information that SecureState used to access the organization’s internal network.
Figure 3: Credentials Scraped from a Spam Blog (Recreation)
It’s much harder to pull information back once it is online. Even if you remove everything you can, Google remembers. If you do accidentally publish sensitive information, first make sure you know what happened, what information it is, and where it might have ended up. Second, rotate your passwords to ensure that any exposed credentials are no longer active. To avoid exposures in the future, make sure you put a process in place to restrict information before you publish. In addition, refine your onboarding and offboarding processes to ensure sensitive information isn’t being lost in transition. There are also services available to analyze your robots.txt file to ensure that engines like Google and Archive.org are not permitted to index sensitive directories. The more you can prevent from leaking the less you have to clean up later.
Cybersecurity can be a complicated and difficult practice, especially when it comes to keeping track of all the latest attack vectors, vulnerabilities, bugs, and patches. But don’t forget the basics, and don’t forget to check what information is out there. Your organization may not be searching for what info is available online, but don’t forget—hackers are.