Google hacking finds sensitive information online

• Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.
• The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.
• Google Inc. and other search providers create an inventory of the World Wide Web through an automated process that can uncover obscure Web pages not meant for the public.
• "If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences researcher and author of "Google Hacking for Penetration Testers."
• Unlike other intrusion techniques, Google hacking doesn't require special software or an extensive knowledge of computer code.
• Using Google, identity thieves can easily find credit-card and bank-account numbers, tax returns, and other personal information buried in court documents, expense reports and school Web sites that contain such information.
• Corporate spies can uncover passwords and user names needed to log on to a corporate network, or find poorly configured computers that still use default passwords.
• A search for error messages can provide important clues for intruders as well.
• Such "cached" pages can turn up security holes even after they've been fixed, or allow an intruder to scan a network without leaving a footprint.
• It's impossible to tell how often malevolent hackers use Google.
• But the recent emergence of computer worms that spread using the search engine suggests that Google hacking has been common practice for years, Long said.
• Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.