McAfee released an updated version of its Foundstone SiteDigger security tool this week. SiteDigger is designed to help enterprises identify damaging information which may be exposed to the world at large through search engines.
Version 2.0 uses search information gathered by Google to pinpoint dangerous confidential data such as financial records, passwords and other personal information on an organization’s website.
Mark Curphey, director of consulting for Foundstone professional services at McAfee, says sophisticated search engine technology and methods for discovering information are proliferating at a rapid rate. “Search engines have become so powerful, it´s just a matter of hackers asking for the right thing,” Curphey says.
Hackers have long used search engines and search technology to gather lists of potentially damaging information and then to mine those lists to get access to critical areas including secure forms, network administration interfaces, application server interfaces and database query tools.
The free tool can find 800 information types, a massive leap from the previous version’s 150 types. The original tool was released in August 2004 and attempted to scour the company’s websites manually. By using Google’s Web Services API to create queries, the new tool is faster, more accurate and scans much more deeply for damaging data.
Curphey cites as examples a law firm exposing settlements from divorce cases, or a power utility company exposing PINs for the door entry systems of microwave towers in a presentation.
Laura Koetzle, research director of computing systems for Forrester Research, says customers also need to determine whether data inadvertently exposed in search engines could embarrass the company or even amount to a violation of privacy regulations such as required protection of records. “You want to be sure you haven´t unwittingly exposed information,” Koetzle says.
In recent months, several Google hacks have been released to find listings of everything from surveillance cameras to credit card numbers. Tools such as Fountstone SiteDigger will allow companies to mine their own data to ensure they are protecting themselves and their customers.