Yale Gets Google Dorked

Wednesday, August 24, 2011

Kelly Colgan

F29746c6cb299c1755e4087e6126a816

Article by Ondrej Krehel, Identity Theft 911

Turns out Yale has more than a few Skull and Bones in the closet.

The Ivy League school fell prey to Google hacking, also known as Google dorking, when cybercriminals use Google search functions to access data on the Internet. USA Today's Bryon Acohido has a great post on the topic.

The practice is becoming more common. The latest victims: More than 43,000 Yale faculty, staff and students, both current and former as of 1999. Their personal data, including names and Social Security numbers, was stored on an FTP server accessible through a Web search.

imageGoogle started indexing FTP server data in September 2010 as part of changes to its search engine collection roadmap.

As a result, FTP server data available worldwide was indexed by Google Spider.

Yale learned of the breach on June 30. The data was available on the Internet for the past 10 months.

Three points worth further exploration immediately come to mind:

  • If Google had access to data through ordinary FTP searches, who else could access the information? Is it possible that other collectors of FTP server data cached and accessed the compromised files?
  • When this happens to educational institutions like Yale, it's obvious that the schools don't have a comprehensive program for monitoring content on the Internet. Schools can implement such programs either through a paid service or by creating their own specified Google Spider searches and reviewing them periodically.
  • Finally, the exposed records date back to 1999. One could question the logic behind retaining records that are 12 years old. As a best practice, institutions should have in place a data retention and destruction policy as part of an organizational privacy framework that lays out a plan for the maintenance and lifecycle of personal data in their organization.

Knowing where your data is located, what are the access control mechanisms, and having an audit process to verify that resources are properly used, is generally part of every cyber risk program. When one of them fails, a data breach is inevitable.

Meanwhile, breach victims are left in the lurch. We encourage folks whose data has been compromised to check with their bank or insurer to see if they qualify for Identity Theft 911 services. Data breach victims can also follow these 6 tips to protect their identities.

image Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

 

Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

Possibly Related Articles:
10744
Enterprise Security
Information Security
Google Cyber Crime breach Yale University FTP Server
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked