How to hide important information from an all-seeing search engine
It is unthinkable today to run any serious business without computers. Companies now store all of their documentation, corporate documents, and customer information online.
It is important to understand that when such files are not password protected there is a strong likelihood that search engines will index them and the data can be found by simply using Google.
Unfortunately, the importance of following security measures is often underestimated. This can be seen in the constant leaks of users' data, the hacking of accounts, and so on. Incidentally, the number of cybercrimes is the highest in fintech and banking. Although, it seems, the best resources are always thrown at protecting finances.
In such leaks, a company's mistakes and the users' digital illiteracy is more important than the ability of the hackers. Important data is often obtained by the hackers for free. They only need to know where to look.
Let's discuss the key points of protecting your files from prying eyes.
Security through obscurity is poor protection
You cannot rely on luck in today's digital environment. Of course, the likelihood that a hacker will be interested in a particular user or even a specific company is quite small. But the fact is that potential victims are not searched for manually. They are often searched for automatically using special malicious software. Sometimes even services designed to help the ordinary user can play into the hands of hackers. Modern search engines are just one of these services.
Search engines regularly scan cloud storage and index the files that are accessed by following a link. So if you share a direct link to a document with your colleagues, search engines can find this document. This means that its contents are in the public domain.
It may seem that generating a unique file name is a fairly reliable method of protection since it is not easy to guess. However, you should not rely on outsiders not knowing the exact location of your data. This principle is called "security through obscurity" and it is not recommended. If there is a technical ability to find your documents, you should be prepared for a leak. It is as if you were hiding the keys to your apartment under the doormat. You don’t do that, right?
How do Google Queries Work?
Most search engines have a built in query language which not only allows them to easily answer query string requests, but also requests with special instructions (site:, inurl:, intext:, and so on).
For example, if you type “site: hitecher.com data leakage” in the search bar you will find all the articles on our website that are related to data leakages. This is a rather convenient tool that allows you to make a search more accurate. However, sometimes such queries can allow you to find information that is not intended for public viewing.
Searches that allow you to access randomly indexed private pages are called Google hacks. You can find any information site owners inadvertently forgot to block from being indexed with the help of these Google hacks. Password lists, analytical data, office pages, server settings, and more could be at risk.
Exploit-db.com has been keeping a record of such vulnerabilities in a separate database since 2003. 4,827 Google hacks have been collected on the site to date.
Over time some entries in the database become irrelevant due to careless website owners correcting their server settings and updating compromised data.
How can you protect your documents?
The reason for such leaks is the carelessness of users and website owners. By default, any search engine will index everything it finds. Users must be careful and not allow their data to be indexed.
Files must not be stored via a direct link or must require authorization to access the data in order to protect them from being indexed.
Another less reliable way is to set up a robots.txt file which contains indexing rules for a particular site. You can specify a ban on indexing files and directories. The problem is that you have to rely on the honesty of the search robot, while some algorithms completely ignore the instructions from the robots.txt file.
The fourth way is to hope that the search engine does not index your link to the file - which we have already said doesn't work.
The best advice for those who want to protect their files: before allowing access via a direct link, always check if the file contains sensitive data that is not intended for prying eyes.
Tags like “for official use” or “secret” are a great help for hackers to find really important information among indexed documents. For greater safety it is best to avoid such tags or, for example, use your own non-standard notation.
If you are working on some kind of document in the cloud, it is better to invite colleagues for co-editing via email rather than a direct link. In addition, you should limit the list of people who may invite others to edit it.
Cloud systems are very convenient for collaboration, but we must remember that it is precisely on such services that hackers direct their attention. For really important corporate data, an expensive but reliable internal document management system might be worth it.
Do not forget about setting strong passwords. Many people still use birthdays or the names of their loved ones as a password, which is not much better than the password “12345”. For added security, you can set up two-factor authentication.
And one more tip: compose documents so that they will not damage the reputation of your company if they fall into open access.
You can check how well you have protected your data using this special checklist.
Share this with your friends!
Be the first to comment
Please log in to comment