In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google Calendar Search by simply typing ‘private’ in the search box. You’ll be surprised by how many results you get (960 at time of writing).
With such nuggets as:
WhatPresentation in Bern [work]
WhenMon Sep 1 12pm – Mon Sep 1 4pm
It’s certainly not a great deal of work to trace other public details, and find out exactly who this might be. Interestingly, he’s also praying at 1AM today, and rowing at 2PM. He looks to be a bit worried about his skills.
This post ties closely to an observation made by stan over at n0where.org. What if a bank were able to access your calendar while you were planning to make a week-long trip to vegas? Do you think they’d still be eager to give you that home-loan? Food for thought, no?
Google: John Gomez! Are you really sure you want to share this with the world?
John Gomez: *clicks yes*
Google: Are you sure??
John Gomez: just do it, it’s handy!
Google: Okay, but don’t say I didn–
John Gomez: DO IT!
Google: fine. idiot.
[Except this doesn’t happen, and people have NO IDEA they’re sharing this info most likely]
Delta Air Lines #616, 01:15 PM PDTWhenFri, Sep 26, 4:15pm – 10:01pmWhereSFO – JFK (map)Description Record Locator: MXNYGI Flight: Delta Air Lines #616 Confirmation: CYT0L0 Departure Location: San Francisco International Airport (SFO) Departure Time: Friday, September 26 at 01:15 PM PDT Departure Terminal: 1 Arrival Location: John F. Kennedy International Airport (JFK) Arrival Time: Friday, September 26 at 10:01 PM EDT Arrival Terminal: 3
Out of curiosity, is anyone doing a taxonomy of real-world attacks? The final attack listed above is analogous to a DOS attack, but these are all straight-forward. I’d love to see a taxonomy of possible ways to exploit a piece of information (vulnerability).