Find hidden files with Show Hidden Files


Google Hacking and Confidential Files Protection

Google hacking provides “easy and stylish” techniques of obtaining sensitive information. This information can be used for vulnerability-searching attack or another sinister purpose.

What is Google hacking?

Use Balanced Scorecard metrics designed in Excel to measure IT security performance.

Using powerful search engines, such as Google, anyone can look for all type of information residing in an immense number of servers connected to the web all over the globe. However, organizations usually disclose too much information on their web servers without ever knowing. Search engines’ powerful features allow hackers to find some sensitive information stored in the far corners of web-connected servers and perform a vulnerability-searching attack.

Links to protected files should not be ever placed on a web siteJohn Leyden in his article “Hacking Google for fun and profit” wrote: “Insecure websites are not the only venues at risk from Google-hacking. Network hardware can be hacked, cached printing pages can be perused and security cameras snooped on thanks to evolutions in attack techniques that are dumbing down network attacks”.  Although there are plenty of ways to abuse network vulnerabilities and mount attack that allow access to the back end of ecommerce websites, Google offers a simple and stylish technique almost everyone can employ: “this dumbing down of cracking opens the way to numerous attacks.”

Looking for credit card numbers on insecure servers or network passwords is the most frequent operation; however, Google hacking can do more. “Using screen grabs… routers with default passwords could be located and turned off. The same approach allows the cache of insecure printers to be browsed, enabling hackers to view or download potentially sensitive documents. Insecure UPS systems, time lapse security cameras and even PBX telephony systems can also be nobbled”. What’s more, police reports can be searched for references to social security numbers. The availability of private information all over the globe, contributes to rising incidence of identity theft, which has been a major problem for the last several years.

Elaborate security policy using concept and mind mapping techniques“Google can be also used to conduct reconnaissance on vulnerable systems without sending packets to a target. Attackers can map domains or get a list of vulnerable servers using the search engine.” Google allows doing a website mapping, directory listings search, obtaining the exact version of a web server software, and even CGI scanning. And this is not an illegal procedure – as long as you don’t attempt to use the acquired information for a sinister purpose.

Once sensitive information is found by using a search engine, it is not easy to conceal it. Even if confidential pages are removed from a web server, they are usually cached, or stored, in search engines’ computers, so they can still be accessed.

In addition to searching for sensitive data, “Google-hacking has been picked up as a technique by virus writers. Recent worms have taken advantage of Google to automate the search for vulnerable machines.”

How to be Google search-proof

Google hacking technique “can be turned on its head by security pros to find and fix potential security holes”. Google scanning is a front end for an external server assessment and contributes to the information-gathering phase of a vulnerability assessment. This operation may be necessary to find out what information from the web site has already been revealed by using a search engine.

The easiest way to protect sensitive data from exposure is to keep this information off the web. Confidential information and links to protected files should not be ever placed on a web site, even on a temporary basis. There’s always a chance search engines might find and cache it. Consider more secure ways of sharing data, such as SSH/SCP or encrypted email.

Directory listing is an exploitable target for most attacks, so that it should be disabled for all folders on a web server. Special attention should be paid to the folders containing password protected files. Besides, the folder that may be accessible to search engines should not contain lists of URLs, links to administrative pages, protected files and password databases.

The web server applications should not generate error messages automatically. If an application error occurs when a search engine’s crawler visit the web site, it can be cached and stored in a search engine. Hackers use this Google hacking technique to identify web sites that are vulnerable because they had error messages or remote access login pages cached.

Removing your site from Google’s index may of course prevent information leakage. However, if this option is impossible, consider removing specific pages that store (or did store) sensitive data and links to confidential files from the Google directory.

The most practical way to keep search engines from reaching specific information on a web site is to set up a gatekeeper in a form of an instruction page for the search engine’s crawler. Most search engines look for a file called 'robots.txt', which specifies the areas of a web site that can be indexed. File “robots.txt” should be properly configured and updated on a regular basis, to prevent sensitive information exposure.

Security risks associated with Google hacking should be considered more seriously

Google hacking is a serious problem for most organizations as it provides for techniques of different type of information exposure. Collecting data on web server software version, firewall log files, password protected files location makes it easier to gain unauthorized access to a remote web server. Besides, in many cases users inadvertently leave sensitive or confidential files in folders that are web-accessible, so that information gets quickly available to the public through the search engines. To protect yourself against Google hacking, you need to be constantly aware which information resources on your web server are open to the search engines.

Find Protected is an utility to force Password Security policy


Find Protected allows to detect incidents, when one break Password Security Policy.

  • Prevent using password protection for not-sensitive documents

  • Prevent information leakage, when one keep sensitive file in non-secure location

  • Prevent in-appropriate using of password protection (for example, password protection of personal files)

You can download now an evaluation version of Show Hidden Files program. Download Show Hidden Files.

Visit Ordering page to obtain more information about pricing. Visit Ordering Page.

Visit Support page to ask some question about Show Hidden Files. Obtain support.



Show Hidden Files newsletter is about password protection, password recovery and searching password protectedYOUR FEEDBACK

Please, let us know what you think about this article:

This article was useful for me

If article was not useful then, please let us know if:

Information is wrong

Needs more information

Not what I expected

Your comments:

Your name (optional)        E-mail (optional)

Made in Devoler