© 2009 Randy Marchany

Data Mining on the Web

Randy Marchany, VA Tech IT Security Office

 What People Think of Security
Internal Network

The Firewall will protect us!

The Big Bad Internet

2
 What Were You Thinking?
• Student in my Computer Security class
tried to cheat
• Duh!
• Busted!

1/27/2010 3
 The Things That Scare Me
• Downloading a trojan to a www site
through an input screen
• Metasploit Attack – why patching
systems is critical
• Bluetooth Eavesdropping
• Gigapan Inaugural Shot

1/27/2010 4
 The Things That Scare Me
• Data Broker Acxiom
• InfoBase Ethnicity System
• “Broad & precise breakdown of ethnic, religious
and minority classifications
• Matches names against housing, income,
education & other demographics
• Naviant Technologies
• Processes online product registrations for
companies like IBM
5
 Things That Scare Me
• Weblining
• Web version of redlining
• Businesses used to redline entire
neighborhoods
• Companies use your personal data to limit
your choices or pay more for products
• www.businessweek.com/2000/00_14/b3675027
• Companies offer products/services based
on what you can afford
6
7
 Google Searching Basics
• Google is the real world “Matrix” Oracle
• Ask the proper question to get what you
really want
• main page button – “I Feel Lucky”
• Forwards you to the highest rank page for the
search term you entered
• Usually the most relevant page for the search
term
1/27/2010 8
 Google Searching Basics
• Results Page
• Important item: size and date the page was
last crawled
• Google Groups
• USENET newsgroups are the oldest of the
discussion groups
• Good info there from the real geeks
• Google Groups is the entire USENET archive
since 1995
1/27/2010 9
 Google Advanced Operators
• Intitle, Allintitle
• Title of a page is text within HTML TITLE
tags
• Intitle locates text in a title bar of a www
page
• Word or phrase is the search term
• Allintitle says every single word or phrase
is to be found in the title page
1/27/2010 10
 Google Advanced Operators
• Intitle:”index of” “backup files” is not the
same as allintitle:”index of” “backup
files”
• Allintext: locates a string within the text
of a page
• Inurl, allinurl: finds text in a URL
• Site: search for pages that are hosted
11
on a specific server or domain.
 Google Advanced Operators
• Filetype: search for specific filetypes
• See http://filext.org for list of all known file
extensions ~8K!
• Google has examples of every one of them
in its database

1/27/2010 12
 Google Hacking Basics
• Google cache allows you to crawl an
entire www site without ever visiting it
• Cache banner says “This cached page
may reference images which are no
longer available.”
• This tells us something about how
Google handles cache files
1/27/2010 13
 Google Hacking Basics
• Google cache allows you to crawl an
entire www site without ever visiting it
• Cache banner says “This cached page
may reference images which are no
longer available.”
• This tells us something about how
Google handles cache files
1/27/2010 14
 Google Hacking: Pre-Assessment
• Check out company HR www sites
• Intitle:intranet inurl:intranet +intext:”human
resources”
• Usually provides names of contact
people
• Check out Help Desk sites
• site:company.com intranet |help/desk
• Automated email trolling
1/27/2010 16
 Google Hacking – Addresses
• Outlook Express, Eudora use .mbx files
• Site:your.site –filetype:mbx mbx
intext:Subject
• Finds mailboxes accessible via the net
• Find email, calendars, address books
• site:your.site –filetype:pst pst ( contacts |
address | inbox)
• Modify filetype directive to search for particular
1/27/2010
email folders 17
 Google Hacking – Blogs, IM
• People put all sorts of stuff in their blogs
• Search for person’s name, email
address combined with homepage,
blog, family to find their blogs
• Get a copy of their IM buddy list
• inurl:buddylist.blt to get them from
Google
1/27/2010 18
Google Hacking – Physical Scout
• Find corporate logs
• Use for letterhead, ID badge (need pic of real ID
badge…see below)
• Use Google Local (local.google.com) to
find businesses near your target
• Use this info to find potential staff hangouts
» Friday after work beer place, bar
» Find closest coffee shops, diners, gas stations, take
pics of employee badges
1/27/2010 19
 10 Simple Searches That Work
• site:
• Troll through all of the content Google has
on a target site
• Use in conjunction with some of the other
queries listed
• Example: site:washingtonpost.com –
site:www.washingtonpost.com locates
pages in the domain other than
1/27/2010 www.washingtonpost.com 20
10 Simple Searches That Work
• intitle:index.of
• Universal search for Apache-style directory
listings
• Directory listings yield a tremendous
amount of information to the attacker

1/27/2010 21
 10 Simple Searches That Work
• username | userid | employee.ID |
“your username is”
• Can be used to build a list of usernames on the target
system
• Combine with the site: directive

• password | passcode | “your

password is”
• Shows pages that help you remember a password
• Shows pages that help you create a password
1/27/2010 22
 10 Simple Searches That Work
• error | warning
• intitle:error
• Searches for error messages on web pages
that have the string “error” in them

• login | logon
• Searches for login portals to a www site
• Used to harvest usernames and
troubleshooting procedures
1/27/2010 23
 10 Simple Searches That Work
• admin | administrator
• Used to find who the key players are
• Used to find administrative login pages
• -ext:html –ext:htm
• -ext:shtml –ext:asp –ext:php
• -ext is a negative query that returns no results when used
alone
• Searches for filetypes
• See www.filext.com for list of all known file extensions

1/27/2010 24
 10 Simple Searches That Work
• inurl:temp | inurl:tmp | inurl:backup
|inurl:bak
• Combined with site operator
• Searches for temporary or backup files or directories on a
server
• Also locates files that contain these terms as file extensions

• intranet |help.desk
• Find help desk sites that might have a lot of information on
how to do things at a site

1/27/2010 25
 Tracking Down Stuff
• Network cameras
• Intitle:snc-z20 inurl:home/ searches for Sony
Network Cameras
• Laser Printers, copiers, fax, toasters….
• Locate usernames
• filetype:wab wab searches for Outlook Express Mail
address books
• Locate password information
• filetype:htpasswd htpasswd searches for
HTTP htpasswd Web user credentials
1/27/2010 26
 Tracking Down Stuff
• AIM buddy lists
• filetype:blt blt +intext:screenname
• Outlook Express email files
• filetype:eml eml intext:”Subject”
+From
• MSN Messenger contact lists
• filetype:ctt messenger
1/27/2010 27
 Document and Database
Grinding
• pdf • Adobe PDF file
• doc • Microsoft Word doc
• txt • Text file
• xls • Excel or Works spreadsheet
• ppt • Powerpoint file
• rtf • Rich Text Doc
• wp • WordPerfect doc
• wk1 • Lotus 1-2-3 worksheet
• ps • Microsoft Works doc
• mdb • Microsoft Access database
• Mcw, mw • MacWrite file
1/27/2010 28
Document and Database Grinding
• filetype:xls username password email – passwords
• inurl:admin filetype:xls – administrative data
• filetype:xls ssn – social security # search
• filetype:mdb inurl:users.mdb – email address search
• filetype:fp7 fp7 – FileMaker Pro DB I/F
• inurl:pls/admin_/gateway.html – Oracle login portal
• inurl:main.php phpMyAdmin - phpMyAdmin

1/27/2010 29
 Tracking Down Stuff
• Search for SSN, CCN
• Use VT Find_SSN, Find_CCN tools
available from http://security.vt.edu
• Search for personal financial data
• Quicken, MS Money, tax programs
• Mbf – MS Money backup files
• tax – Intuit TurboTax Return
• ptdb – Peachtree Accounting Database
1/27/2010 • stx – Simply Tax Form 30
 SSN Finders or SSN Generators?
• Software to search for sensitive data on
computers
• Can they be used to generate SSN/CCN?
• Freeware
• VT – Find_SSNs
• Cornell – Spider
• UT-Austin – SENF
• Commercial
• IdentityFinder

31
 Inside the Twisted Mind…

32
33
34
Why buy the cow when you
can get the milk for free?
1/27/2010
 Obtaining Personal Information
• Public Records can be accessed from
anywhere in the world.
• Local governments are allowing access
to sensitive info via the Web without
thinking about security.

36
 County Clerks and Identity Theft
• Making legal docs available on the net w/o
good security practices.
• A secure www site isn’t enough
• Tom Delay SSN From Public Records
• Jeb Bush SSN From Public Documents
• Colin Powell Deed of Trust
• Colin Powell SSN from Public Records
• Do County Clerks (by extension, the state
legislature) facilitate ID Theft?
37
 What’s Going On Here?
• We’re spending $$$ to protect sensitive
data (SSN) but….
• State govt is allowing SSN info to be
obtained online so….
• Laws need to be coordinated but….
• Update: VA passed a law (7/1/08) that makes
it illegal to distribute SSN legally obtained
from public govt www sites 
38
39
 The Twisted Mind…
• If you’re not doing anything illegal, you
shouldn’t care whether you’re
“surveilled”
• What if I just want to track you?
• NY Times article on bored security staff
tracking people on the streets….

40
 T-Mobile said the company's
computer forensics and
security team were "actively
investigating to determine
how Ms. Hilton's information
was obtained."

Cell phone voicemail easily hacked

They got Paris Hilton's contacts, and could get
yours, too
By Bob Sullivan
Technology correspondent
MSNBC
Updated: 3:51 p.m. ET Feb. 28, 2005

"We were shocked by mobile

voicemail vulnerability," he said.
"This is not about (cell phone)
operator bashing. This is about
generating attention. They knew this
and haven't generated any action."
hiltonbook.html
41
 The Twisted Mind…
• Smart phones and PDA’s have become
the electronic equivalent of the sticky
note
• Put my passwords in the device
• What if I drain your battery?

42
 Cell Providers & Backups
• T-Mobile Sidekick Disaster: Danger’s
Servers Crashed, And They Don’t Have
A Backup
• Leaking crypto keys from mobile
devices
• http://news.cnet.com/8301-27080_3-
10379115-245.html

43
 January 27,
2010

Taking Advantage of the

Surveillance Society We’ve
Become…..
45
46
47
48
49
50
51
52
53
54
55
 Summary
• There are other search engines
• Bing, Yahoo, Ask.com
• Facebook, Myspace, Mugshot, Drupal,
Joomia!
• County Courthouse www sites
• Real Estate/GIS www services
• Pay sites – Intellius
56
 Questions?
• Randy Marchany, VA Tech IT Security
Office & Lab, 1300 Torgersen Hall, VA
Tech, Blacksburg, VA 24060
• 540-231-9523
• [email protected]
• http://security.vt.edu

57
 References
• “Google Hacking”, Johnny Long,
Syngress Publishing, ISBN: 1-931836-
36-1

58