Paperless Offices Invite Intrusion

Your personal email – think about the amount of information it can reveal about you, your co-workers, your company, your family, from party plans to shopping receipts to office gossip.

Microsoft Outlook is really the American workplace standard for email and calendaring purposes. Knowing this, and say… a domain attached to your ‘interest’ can give you lots of information.

With understanding syntax and Google search protocols, there is world of exploration that most office IT guys are not aware exists. (Before I go on – note my legal disclaimer, paragraph 4)

filetype:pst pst ( contacts | address | inbox ) along with domain syntax in a query (bracket constrains will reveal more) like this can return information that was never intended to be viewed by the public.

After all, these would be PERSONAL email folders.

Outlook uses the .mbx extention for email storage. Knowing this you can modify a query to something like filetype:mbx mbx Intext:Subject and find some more.

Is there more? Oh yes. Be creative, you’d be amazed how many companies are going “paperless” and the kind of information they have on their servers is amazing. Better than that – much of the time it isn’t even on their servers, but in the Google cache – keeping your ID out of the equation. (if you’re a bad guy) Spreadsheets, Word documents, scanned PDF’s, email, IM chat logs – it goes on. Many office employees use Instant messaging, it could be IM or AIM (extensions for snooping CCT and BLT)

The mother load of information about a company or its employees would be—can you guess? The human resources department.

Anything “intended” for public viewing is usually watered down, so this a good place to get the real scoop. Modify the query – the HR dept. is usually on an Intranet, and Internet. Hmmmm, if they’re a progressive paperless company – see where this is going?

Combine ‘Human Resources’ and ‘intranet’ to a query.

Get the domain in there too. Things people think are private are often times not. Not only can you find information about a company and its’ policies/procedures (weeeeeeeeeeee) but also about the people. Remember the xls and doc extensions, they usually contain numbers, numbers like ss#’s and salaries, addresses, phone numbers, are you beginning to see the issue?

So, while I am sharing some of the “Black Arts” here, it can either land you in jail or light a fire under your butt to get your server secured. Best thing to do right away is simply deny access to thes extensions and physically separate your company intranet and internet.

Here are some scary things you can consider:

filetype:xls username | password | email
filetype:xls inurl:”passwords.xls”
filetype:xls Private
inurl:admin filetype:xls
filetype:xls inurl:contact
filetype:xls inurl:”email:xls”
allinurl:admin mdb
filetype:pst inurl:”outlook.pst”
filetype:mdb inurl:users.mdb
inurl:email filetype:mdb
inurl:backup filetype:mdb
inurl:profiles filetype:mdb
inurl:* filetype:mdb

Oh yeah – if you’re already playing around, STOP! Learn about proxies to protect your ID. Hint – the Google English to English translator?

IT Managers – you can’t prevent savvy attackers from using human nature against your company and employees, but you can educate them. I’ve worked in the corporate setting, and can’t recall any company or department meeting concerning internet usage creating vulnerabilities to both the company and employees personally.

Janet Smith in cube 36D could very well be leaving your company back door unlocked every night, (as well as her home) and all she thought she was doing was chatting with her married boyfriend on IM.

3 Responses to “Paperless Offices Invite Intrusion”

  1. Devin December 19, 2006 at 8:12 pm #

    People like you cause us to wear tin-foil hats!

  2. seth January 17, 2007 at 11:10 pm #

    I think i have a deal for you! My email is in my login, let me know what you charge for this stuff.

  3. knox January 31, 2007 at 1:40 am #

    Doesn’t work that way, sorry Seth.

Leave a Reply