After reading the piece on RSnake’s blog at ha.ckers.org I was inspired to try a few other search combinations for Google Calendar. Here is one example of someone who had made public their PGE bill including the account number. This was simply searching on “username” & “password”. I have removed the juicy bits.
PGE Bill Due
Dear Valued Customer,A new energy statement for your PG&E account 4939******-* is now available to view online. You can also print a copy of your statement online.
PG&E energy statement (e-Bills) information
Amount Due: $86.21
Due Date: April 20, 2007
Then I searched for “Credit Card”. Here is a gent who posted his receipt for tickets to see Rufus Wainwright.
Ticket Confirmation
***********, ***********Date: 04/22/2007 08:00 PM
2 Rufus Wainwright @ $45.00 $90.00
SVC CHG: $2.00
SUBTOTAL: $90.00
TAX: $0.00
TOTAL:
$92.00Credit Card
Visa/MC ************0429 09/08
Conf#: Conf#: 06***
Now, this is not a fault of Google so much as it is a lack of user education. Folks, if you post your calendar event as public then it can be searched.
And my favourite. A Checkpoint staffer posting emails to his Google Calendar.
J**** ***** - Phone Call
————
From: (removed)@us.checkpoint.com]
Sent: Wednesday, April 04, 2007 11:24 AM
To: (removed)
Subject: FW: no subject (LTK9104768373X)(removed),
Do you have time tomorrow or Friday to review the SMP?
(removed)
_____
From: (removed)
Sent: Wednesday, March 21, 2007 10:30 AM
To: AirCloud
Cc: (removed)
Subject: RE: no subject (LTK9104768373X)Dear MSP-on-demand Partner (AirCloud),
Thank you for joining the Check Point MSP On-Demand for Small Businesses
program, the leading management solution for easy delivery of
enterprise-grade security to small business and consumer networks.Registered Partner Information
——————————-
The MSP-on-demand Service Center is currently registered under the following
details:Partner: AirCloud
Contact Name: (removed)
Email: (removed)
Phone Number: 925- (removed)
Country: USA
State: California
Please inform us by replying to this email in case any of the registered
details are different than specified.MSP-on-Demand Service Center License Information
————————————————————————–
Your MSP-on-Demand instance is provided to you for Demo purposes for a
period of 12 months.During this time you will be able to provide the following services:
* Software Updates - Up to 2000 nodes
* Remote Management - Up to 50 gateways
* Web Filtering - Up to 1000 nodes
* Email Antivirus - N/A through MSP-on-Demand
* Email Antispam - N/A through MSP-on-Demand
* VStream Antivirus Signature Updates - Up to 1000 nodes
* Dynamic DNS - Up to 50 gateways
* Dynamic VPN - Up to 50 gateways
* Logging and Reporting - Up to 50 gateways
* Vulnerability Scanning - Up to 50 gateways (Requires a Nessus
server)Access the MSP-on-Demand Service Center
—————————————–
In order to start using your MSP-on-Demand Service Center, Surf to:
https://(removed)/SMC/index.jsp?instance=AirCloud.Please use the following information to login to your MSP-on-Demand Service
Center:Login: (removed)
Password: (removed)
Please keep your MSP-on-Demand Service Centers’ login information
confidential.Connecting Customers’ Embedded NGX UTM to Your MSP-on-Demand Service Center
————————————
The Service Center IP address to connect Embedded NGX UTM gateways to your
MSP-on-Demand Service Center is: (removed).For your customers convenience you can register the Service Center IP
address with your own domain name, for example: ServiceCenter.MyCompany.com.Software Updates and Support
I should note that all of the above searches were all public facing information.
UPDATE: Thanks for the link Techmeme!
Tags: Google Calendar, Data Leakage
