Posts in Security Testing
Fun with Google
I'm doing some self education with security testing again. It's been a while. I'm back to Hacker High School working the lessons.

Today, it's fun with Google. I can't hack any real sites, so I thought I would try to find stuff on some of my sites. I found a lot of good detail by reading Google Hacking Mini-Guide by Johnny Long.

Even something so simple as the following can return a lot.


allintitle: "index of" xls


I couldn't find a problem with any of my sites, but that's probably because they are so poorly designed that Google can't even index them properly.

This is a lot of fun and a bit addictive. I recommend turning Safesearch on if you have an aversion to elicit material.
Security Testing, Software TestingMichael KellyComment
"Regretfully, we don't know how to protect data even though we spend millions on it every year..."
Crap.

That's what I have to say.

First paragraph:
We value the trust people place in |Company|. Regretfully, we have learned that a computer, which contained information about you including your name, address, Social Security Number from your |Company| inquiry or application on |Date|, is missing and may have been stolen. The computer had two layers of security, and we have no indication that the information has been accessed or misused.

First, how do you not know if it's stolen? The letter goes on to say it was lost while shipping. Shipping! It's digital information! Just FTP my account information! What the heck is my information doing on the back of a UPS truck?!?!

(To be fair, I don't know if it was UPS.)

Second, you're telling me it has two layers of security and that's going to make me feel better? So I'm supposed to think hacking a Windows password and bypassing your homegrown application security is going to be a problem? Give me a break!

Banks suck.
General Software, Security TestingMichael KellyComment