'Good guys' show just how easy it is to steal ID

Elite teams of computer gurus hack into Google and find loads of credit card numbers and sensitive information

By Paul Shukovsky, Seattle Post-Intelligencer, March 5, 2005

Teams of hackers surfed the Web at Seattle University yesterday, harvesting Social Security and credit card numbers like a farmer cutting wheat. In less than an hour, they found millions of names, birth dates and numbers -- cyberburglar tools for the crime of identity theft -- using just one, familiar Internet search engine: Google.

But these were the good guys -- members of a somewhat secretive organization of computer security pros, forensic cybercops, prosecutors and federal agents called Agora.

The group decided to lift the curtain of secrecy for a day to sound a warning about the dangers of "Google hacking."

It turns out that the powerful search engine, in the hands of a knowledgeable cybertrekker, can ferret out all kinds of sensitive information never meant to be made public. All it takes are sophisticated search terms. The terms go beyond specifying key words to include file types. The right terms can even find information deleted from corporate or government Web sites but temporarily cached in Google's massive warehouse of data.

Kirk Bailey, the city of Seattle's chief information-security officer, calls his Agora compatriots "the primary defenders of the virtual world in the Northwest." Before launching eight teams of hackers from companies such as Intel Corp. and computer-security consultants IOActive, Bailey declared that "our mission is to find answers on how to fix these problems."

The hacking team members sat crunched together at round tables, each one hunched intently over a laptop. Bailey gave them the go-ahead, and fingers started flying across keyboards.

"A little music to hack by," said IOActive consultant Frank Heidt, but he then turned off the audio and got down to business.

"We're simulating an ID-theft ring," mumbled Heidt, who was focused on his screen as he entered a search term that, to the uninitiated, looked like nothing more than a jumble of meaningless letters.

Moments later, Heidt bellowed out "Yes" as military credit card numbers filled his screen. In the next chair, Akshay Aggarwal, also with IOActive, was grinning. "A million Social Security numbers of immigrants. Tax records. Addresses. What do you want?"

Around the room, hackers were compromising people's identities. They wouldn't even let the dead rest in peace.

The Intel team found a Web site listing the names, birth dates, Social Security numbers, race and religion of 602 helicopter pilots who died in Vietnam.

Another Intel team member came up with a Brazilian Web site that contained the names, credit card numbers, birth dates and home phone numbers of 388 Americans who appeared to have ordered pornographic movies online.

Bailey called the meeting to order to announce results of the contest. An ad-hoc group of lawyers and computer-security specialists won with 190 million points by digging up death certificates with Social Security numbers. But more ominously, by searching for personnel with secret clearances, the team found, in a U.S. Navy site, personal information on an expert in virology investigations and on a responder to nuclear emergencies.

Two teams found information about people on terrorist watch lists. The IOActive team was the runner-up with almost 13 million points.

IOActive Chief Executive Officer Joshua Pennell pointed out that the problem is not with Google, but with corporate cultures with the attitude, "Nobody is going to find me, nobody cares what's on my computer." These companies allow Google to enter into the public portion of their networks, sometimes called the DMZ, and index all the information contained there. Toby Kohlenberg, an information-security specialist with Intel, asserted that "Google doesn't need to be fixed. Companies need to understand that they are leaving themselves exposed" by posting sensitive information in public places. "If they're performing proper security, then their intranet shouldn't be vulnerable to a Google search engine."