How to Borrow Your Opponent's Addressbook - HCCI-215 Session 3

If you've been following our series, you now know that healthcare organizations can make some mistakes online, providing lists of web pages they'd prefer were private via robots.txt and leaving sensitive information completely out in the open via public directories on web servers.  Individuals typically avoiding putting very private information, like their entire corporate addressbook, online, but then again a few of them don't.  That's right, a number of CEO's and other high level employees have put their email addressbooks online and failed to consider the ramifications of this act.

This one needs an early ethics warning: if you find individually identifiable information online that should not be there, you have an ethical obligation to notify someone who can do something about it.  Let this scenario serve as a cautionary tale of a situation that your organization desperately needs to avoid.

Above: A disaster.  Email addressbooks
unsecured on Google.
So how does an email addressbook, replete with industry contacts end up on a public server and indexed on Google?  Generally, this results when individuals who are trained in information security  nonetheless are granted direct access to a corporation's webserver.  For example, CEO Kathy wants Intern Michael to contact the 75+ individuals she met at a recent healthcare conference on her behalf.  Michael needs to access Kathy's list of emails in order to carry out this operation.  Kathy exports her entire addressbook because she's not really sure how to simply copy and paste or export a single group of addresses (and that's fine, that's not what she gets paid for anyway).  Now something very dangerous exists: a complete copy of Kathy's email addressbook.  Among many, many other pressing concerns, this is nearly all that is needed for anyone to completely replicate Kathy's LinkedIn profile, presuming the two accounts are synced.  Armed with her addressbook, Kathy does the obvious thing and tries to email the file to Michael, but it is too big to attach, so instead she puts it into the shared folder "workingfiles" on the company server.  Unfortunately, the company server is also the webserver and Kathy has just unknowingly put her company's corporate contacts up for Google to index.

So how do we use Google to find disasters in the making like this?  You'll need to use Google's filetype search, which returns search result of only, you guessed it, certain file types.  Gmail always exports addressbooks to Google.csv by default.  For ethical reasons, no link will appear here, but you can easily see that searching Google for (filetype:csv "google.csv") without the brackets, results in 38 results, including a few US Senate contacts which most certainly should not be out there in the open.  38 results is next to nothing, but if we instead search for something along the lines of (filetype:csv site:*.org email) (drop the brackets) we get a somewhat terrifying 1,400+ results, many of which are entire organizational addressbooks, and a few of which openly contain passwords.  What a disaster.

There's another use to this technique: you can screen the Internet to see if you are in any of these files.  Sure enough, a Google search for (filetype:csv "john smith") gets many results.

The issue of corporate addressbooks online is a serious one, but not quite so bad as the vast array of other private documents that one can find using the filetype operator.  Try searching Google using "filetype:xls" for Excel spreadsheets and the keywords username and password.  That's right, 8,600+ web pages are available where organizations have conveniently put all of their account usernames and passwords into a publicly available Excel sheet to make things easier for employees.  Searching for filetype:doc and the keyword confidential or the phrase "not for public release" results in documents so clearly private the author would not even click them for research purposes.  Run these searches on your organization today, a few minutes checking could save you millions of dollars in legal fees, fines, settlements, and lost business.

It is difficult to emphasize just how incredibly widespread this sort of security issue is and how devastating it can be, so an image has been included here which clearly depicts Google results that incorporate the text "not for public distribution."  The results in question are form businesses, non-profits, and even governments.  The documents clearly should never have been placed on public servers, no matter how well hidden, but nonetheless they are not only present and easily located, but also quite timely (less than 2 weeks old!).

Above: Literal, actual results from Google
showing documents posted publicly
that clearly incorporate the text
"not for public distribution."
The Exception (an strategy): Investors often find out the strategy of a corporation early as they are brought on to finance its operations.  Information for investors is often quasi-public: the corporation has no expectation of privacy, but works to ensure that the strategy won't be leaked to the public early.  You can work to find investor documents early by using the filetype operator to search for PowerPoint and PDF files (filetype:ppt or filetype:pdf).  Searches for both filetypes and the keyword "confidential" turned up investor presentations from as recently as a week ago.

Legal Notes: When you were a kid, if you found the teacher's gradebook forgotten in the library, you turned it in.  The same ethics apply here, though the stakes are much higher.  When private information of this sensitivity is removed from Google, others see the good example and the entire industry is improved in some small way as a result.

Enroll in the course now: Enter your e-mail for VIP Updates at the top of the page

The entirety of Christopher Lotito's Health Care CFO Competitive Intelligence Master Class can be found online here: -- The self-paced course runs through late March 2015 and the content will remain online after.

Contact the author on LinkedIn or via the comment form.

Popular posts from this blog

How to Keep a Secret Online

How to Turn an Email Server Rogue - HCCI-214 Session 5