Subscribe
Sectors
Companies
About

Oops. I`ve been Googled!

By Mariette du Plessis, Events Programme Director
Johannesburg, 03 Feb 2006

Can credit card numbers really be found on Google by searching for the phrase Visa 4356000000000000 4356999999999999?

The answer is yes, if databases of purchase records, which include card numbers, are either stolen and placed online, or are initially stored in a public place.

Google hacking first made the headlines in 2004. Today, with numerous how-to books on the subject, just about anyone can learn about it and apply the "trade".

<B>Know thy enemy: the good, bad and worse</B>

At the ITWeb Security Summit 2006, Nico De Louwere, systems engineer at Cisco SA, will expose the inner workings of, among others, Google hacking. His presentation, "Know thy enemy: the good, bad and worse", will help delegates understand the tactics hackers employ to attack business today, from Google hacking to botnets.

In simple terms, Google hacking is the use of a search engine, such as Google, to locate security vulnerabilities - misconfigurations and software vulnerabilities - on companies` Web servers or servers accessible via the Internet.

By searching for default server page titles, for example, an attacker can find easily exploitable servers. Applications left in default modes can also be found by searching for error pages generated by the software. And searching for specific file names can pinpoint vulnerable servers connected to the Internet.

<B>What a hacker can do if a site is vulnerable</B>

Information that the Google Hacking Database identifies:
* Advisories and server vulnerabilities
* Error messages that contain too much information
* Files containing passwords
* Sensitive directories
* Pages containing logon portals
* Pages containing network or vulnerability data such as firewall logs.

There`s also a database of queries that identify sensitive data, the Google Hacking Database (GHDB), available for all and sundry at http://johnny.ihackstuff.com.

Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the GHDB queries directly onto the crawled content.

At www.i-hacked.com, there`s even a sample of interesting searches that can be sent to Google to obtain info that some people might not want anyone to have. For example: "access denied for user"; "using password"; "A syntax error has occurred"; "allinurl: admin mdb"; "ORA-00921: unexpected end of SQL command"; "inurl:passlist.txt", and so on.

<B>How can Google hacks be foiled?</B>

* Make sure applications do not generate unhandled error messages.
* Make sure directory listings are disabled for all folders.
* Avoid storing lists of URLs in a folder, where a spider can crawl.
* Don`t place links to administrative pages in a link on a Web page.
Source: ZDNet.com

Try it. Type the phrase "access denied for user" and "using password" into Google. Some 103 000 Web pages will be returned, some volunteering their SQL error messages. Among these will also be Web sites that give harmless information such as user IDs, SQL server stats and configuration details.

The easiest way to check whether a Web site and applications have Google hacking vulnerabilities is to use a Web vulnerability scanner. A Web vulnerability scanner scans the entire Web site and automatically checks for pages that are identified by Google Hacking queries.

Of course, the best safeguard is not to publish information others shouldn`t see - because people will find it, because search engines are doing their jobs and because hackers are developing even more sophisticated methods to exploit search engine vulnerabilities - giving them access to personal and sensitive information.

Share