INFO 200 Intellectual Foundations of Informatics

LAB 9: Security GOOGLE HACKING CONTEST OVERVIEW To engage in a team exercise that probes the security gaps in networked systems. GOALS 1. To gain a better understanding of the vulnerabilities of online networked systems and the potential misuses of search engines. 2. To raise your awareness of the need for basic network security and management. 3. To raise your awareness of serious issues regarding privacy and security. CONTEST STRATEGIES You can research what the possible strategies might be at sites like the following: Long, Johnny, Google Hacking Mini-Guide, May 7, 2004. Link: http://www.informit.com/articles/article.aspx?p=170880 Gregg, Michael. Google Hacking, section in chapter in Understanding Footprinting and Scanning chapter. Certified Ethical Hacker Exam Prep., June 9, 2006. Link: http://www.informit.com/articles/article.aspx?p=472323&seqNum=5 Google Hacking. iHacked.com. September 26, 2004. Link: http://www.ihacked.com/content/view/23/42/ Or you can find your own references by simply going to Google and searching for Google hacking. CONTEST RULES ESSENTIAL!!! Make sure you read all six rules, before you read the instructions (which are on page 3). Rule #1: Information Protection All participants must be VERY CAREFUL to manage and protect any sensitive information they discover from disclosure beyond the current exposure the data already has online. Brow-Beating about This Rule: The intent of this contest is to learn more about a provocative and troubling public problem. The intent of the contest is not to break any laws, harm an individual or organization or embarrass anybody or institution. Information that is found during the contest is for demonstration and instructional purposes only. The TA will remind you of your obligation to follow this rule above all others.

Last updated 9 July 2009

2
Rule #2: Required Gear for Competing Teams Teams will need access to as many computing devices as they feel are necessary to win the contest depending on what Google hacking strategy they decide to employ. Teams should provide at least one standard-size (8 x11) paper notepad and several manual writing devices for scoring purposes. Rule #3: Respecting UWs Internet Connection and Network Everyone who even thinks about misusing UWs Internet access will be disqualified! Brow-Beating about This Rule: This is serious stuff. As students, Internet access is graciously provided by UW. This service is not to be used for any malicious purpose. Rule #4: Judging Each team will select a judge (The TA will be checking with judges). The Judge oversees teams information discovery claims and scoring. The judge will also act as an observer of the teams activities to ensure all rules are observed and will apply uniform oversight and scoring tabulation. Brow-Beating about This Rule: This control is necessary to ensure fair and equal rigor with scoring tabulation for all teams. Rule #5: Time Allowed for Hacking and What to Consider. Teams will be given 1 hour with the Google search engine. When the time is up, the team with the most points wins the contest. Teams must use their time wisely and efficiently. It isnt just about locating the targeted information, the discoveries have to be accurately documented and scored during the hacking timeframe. Discovered data has to be documented (On that 8 X11 notepad) with a listing of the associated URL, brief description of the discovered document or data file. In addition, the information content has to be reviewed for scoring by the judge. So think about how this might best be done before you get into the actual event. Brow-Beating about This Rule: We want to allow enough time for you to have fun and find plenty of interesting and thought provoking discoveries; however, we also wish to save enough time in class for discussing what was found. Rule #6: Scoring Points will be awarded based on the scoring criteria listed below. Points will only be allowed for documented discoveries made during the timed Google hacking period, with the judge (in collaboration with the TA) observing the search and discovery processes of the group.

Last updated 9 July 2009

Scoring Personally identifiable information: Name and Social Security Number (SSN) together: Name, SSN, Date of Birth (DOB) together: Name, Credit Card number (CC#) together: Name, CC#, Expiration date together: Name, CC#, Exp. Date, and 3-digit security code (aka CID#) together: Name, Bank Account Number or Brokerage Account Number Name, Bank Account Number and PIN Additional data associated with each CC# & SSN (e.g. address, phone) Name, password, and related online account identifier to anything Bonus points for anything above associated with a Washington State Citizen

Points 1.0 2.0 1.0 2.0 3.0 1.0 3.0 0.5 5.0 10.0

Most Sensitive Document Bonus: Each team will select what they think is their most provocative and sensitive document discovered during the exercise and submit that selection to the Judge. The judge will present them to the class at the end of the contest, who will vote on which is the most sensitive document, that team will be given 50 bonus points! If the class does not agree on the most sensitive document, teams will be judged on the number of points associated with documented discoveries. INSTRUCTIONS 1. Divide into groups of 4-5. 2. Select one or several strategies in your group (see above p. 1). 3. Spend a few minutes examining the system, to get a sense of the vulnerabilities. 4. Go hacking, and be ready to report to the class. 5. Prepare a 4-5 minute summary of your discoveries to present to the rest of the class in the lab. Be sure to highlight what your group thinks to be the most sensitive discovered information. WRITE-UP Each group will submit to the TA a 1 page write-up describing one of their documented discoveries, showing the weaknesses and strengths of the system of that discovery, and offering suggestions for the user and the designer.

Last updated 9 July 2009

4 In the News and Stories on Google Hacking Compiled by Sylvain Cibangu Fall 2008 http://www.silicon.com/search/?q=google+hacking&c=news&ss=date&submit.x=10&submit.y= 11 (google hacking in news 1) http://software.silicon.com/security/0,39024655,39205078,00.htm (story 2008) http://search.theregister.co.uk/?q=google+hacking (google hacking in news 2) http://www.theregister.co.uk/2008/10/10/google_cross_domain_bug/ (story 2008) http://michellemalkin.com/?s=google+hacking (google hacking in news 3) http://michellemalkin.com/2008/09/18/closing-in-on-the-palin-e-mail-hacker/ (story 2008 http://search.nwsource.com/search?from=PI&query=google+hacking&searchtype=network&x=1 1&y=8 (google hacking in news 4) http://seattlepi.nwsource.com/business/181377_msftsearch09.html (story 2004) http://search.cbsnews.com/?source=cbs&q=google+hacking&x=18&y=14 (CBS news google hacking in news 5) http://www.cbsnews.com/stories/2008/02/27/tech/main3885232.shtml?source=search_story (story 2008) http://www.wired.com/search?query=google+hacking&siteAlias=all&x=9&y=6 (google hacking in news 6) http://blog.wired.com/defense/2008/09/onine-posse-ass.html (story 2008) http://search.internet.com/www.internetnews.com (google hacking in news 7) http://www.internetnews.com/commentary/article.php/3776876/NoLowHigh+Tech+Hacking+It +All+Matters.htm (story 2008) http://www.zdnet.co.uk/search/index.htm?c=resources&q=google+hacking&submit.x=22&subm it.y=10 (google hacking in news 7) http://downloads.zdnet.co.uk/0,1000000375,39298208s,00.htm (story 2008)

Also FYI http://sector.ca/prepost.htm (Security Education Conference in Toronto with three leaders in Google hacking: J. Long, D. Covostos, & H.D. Moore)

Last updated 9 July 2009