How to Browse Your Competitor's Hard Drive - HCCI-215 Session 2
Sometimes the easiest way to find out what your competitor is up to is to just browse their hard drive. No one is advocating violating any security policies or laws, but what a competitor chooses to put onto their public web server is generally considered to be fair game. Most readers are going to suppose that companies generally do not put their corporate strategies out where everyone can see them. This is however incorrect. There are now more than 468,000 recent news articles discussing a variety of "data breaches" across nearly every industry imaginable (Target, The National Archives, and Anthem Blue Cross are a few recent examples). On the other hand, there are more than 38 million (yes, really) unsecured file folders free for browsing across the Internet at this time. Whether you are checking to see what your competitor has left out in the open or simply making sure your own company has secured all its assets, this lesson will demonstrate the techniques you need to get the job done.
|Results for Google Search of publicly accessible|
file folders. Some results not appropriate for
Scenario #2: Browsing The IRS' Filesystem
Companies publish a vast array of public and non-public information online. They need to distribute information to their investors, potential investors, employees, contractors, government and independent auditors, and vendors which needs to be timely and relevant, but which they'd prefer not have reported in Hospitals & Health Networks Magazine. Rather than distribute this information via email, FTP, or some other method which at least guarantees the identity of the recipient, they opt to place it on their website, often without any password whatsoever. This is called "security by obscurity." One method, which we discussed, was simply to place the information on the website and exclude it from search engines by using the robots.txt configuration file. Another method, equally poor, might be to place the information on the web server, and simply avoid linking to it. If it's not linked, it's invisible, right? Wrong.
Just as you can browse the directories (or file folders) of your PC, you can browse the directories of a web server, provided it is configured in a certain way. Normally, any directory you enter as a URL (e.g. BigHospital.com/PublicRelations/) will by default show the webpage index.htm. If this file is absent and other provisions have not been made, you might end up seeing the entire filesystem of the webserver.
Let's try it. The IRS has exactly this situation (NASA does too). Navigating your browser to the URL http://www.irs.gov/pub/irs-drop/ results in a screen which is solely a list of files in the IRS drop directory (file folder). The IRS notes that this interface is for experts downloading specific PDF forms and that others who are not sure which file they need may want to browse a linked webpage which describes each form in turn.
For ethical reasons, it is not within the scope of this article to provide links to organizations who have unintentionally left a file folder publicly accessible in this way. Suffice to say that a Google search for ("index of /" site*.org "last modified") (drop the brackets, keep the quotes in this case) yielded nearly a million results. Adroit readers will note that this search uses Google's "site" operator in order to narrow the search down to ".org's" which are likely to be hospitals. Equally, you could search for ("index of /" site:SITENAME.COM "last modified") to find public facing directories solely on your rivals' website. It's fair to say that typically, this search will yield no results, but you don't know until you try.
Legal Notes: When in doubt, don't do it. Is it unethical? Consider that if your organization has a security oversight such as this, you would be dismayed if one of your competitors used it to gain an advantage (though perhaps not surprised). Legally, this sort of exercise is completely in flux at this time. The US has seen journalists imprisoned for simply linking to files which were formerly stolen in recent years, though many might argue that the searches described can amount to no worse than the digital equivalent of trespassing (especially considering that Google found and indexed the results previously). As always, check with your legal counsel. Regardless, check your own corporate site to make sure you aren't going out to meet the press each day with your company's back door wide open.
Enroll in the course now: Enter your e-mail for VIP Updates at the top of the page.
The entirety of Christopher Lotito's Health Care CFO Competitive Intelligence Master Class can be found online here: http://www.christopherlotito.org/search/label/HCCI-215%20Course -- The self-paced course runs through late March 2015 and the content will remain online after.
Contact the author on LinkedIn or via the comment form. http://www.linkedin.com/in/christopherlotito