[ISN] Google: Net Hacker Tool du Jour

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 23:52:29 PST

  • Next message: InfoSec News: "[ISN] Macromedia reports critical hole in Flash player"

    By Christopher Null
    Mar. 04, 2003
    Why bother pounding at a website in search of obscure holes when you
    can simply waltz in through the front door?
    Hackers have recently done just that, turning to Google to help
    simplify the task of honing in on their targets.
    "Google, properly leveraged, has more intrusion potential than any
    hacking tool," said hacker Adrian Lamo, who recently sounded the
    The hacks are made possible by Web-enabled databases. Because
    database-management tools use canned templates to present data on the
    Web, typing specific phrases into Internet search tools often leads a
    user directly to those templated pages. For example, typing the phrase
    "Select a database to view" -- a common phrase in the FileMaker Pro
    database interface -- into Google recently yielded about 200 links,
    almost all of which lead to FileMaker databases accessible online.
    In a few cases, the databases contained sensitive information. One
    held the addresses, phone numbers and detailed biographies of several
    hundred teachers affiliated with Apple Computer. It also included each
    teacher's user name and password. The database was not protected by
    any form of security.
    Another search result pointed to a page served by the Drexel
    University College of Medicine, which linked to a database of 5,500
    records of the medical college's neurosurgical patients. The patient
    record included addresses, telephone numbers and detailed write-ups of
    diseases and treatments. Once Google pointed the visitor to the page,
    the hacker merely needed to type in an identical user name and
    password (in short, the name of the database) in order to access the
    Both databases were Web-enabled using the FileMaker Pro Web Companion,
    a component of the $299 FileMaker Pro application, which is primarily
    targeted at beginning users. According to FileMaker, the Web Companion
    promises to "convert a single-user database into a multi-user
    networked solution in one simple step.... Authorized users can search,
    edit, delete and update records using most popular Web browsers."
    Apple did not return calls requesting comment, but the teacher
    database was apparently taken offline on Friday afternoon.
    Drexel University immediately shut down its database upon being
    informed of the vulnerability. Spokeswoman Linda Roth said university
    officials had not been aware that it existed online, as it was not a
    sanctioned university site. Drexel's dean also sent a memo to all
    employees reiterating the university's policy against unapproved
    databases. The school is canvassing its network to ensure no other
    databases have been posted online, Roth said.
    A FileMaker spokesman said the company tries its best to make users
    aware of security issues.
    "We're critically aware of security and the need for it," said Kevin
    Mallon. "We publish white papers and software updates on our site, and
    we send updates to our registered users about the need for security."
    But Mallon suggested that configuring access rights and selecting
    appropriate passwords are ultimately the user's responsibility. "We
    constantly emphasize with our users to be aware of the extent of the
    exposure they want -- or more importantly, the exposure they do not
    want -- for all databases published on the Web."
    Regarding the vulnerable Drexel database, Fred Langston, senior
    principal consultant of Guardent, an information security services
    company, said part of the reason the incident occurred might have been
    because such institutions typically encourage openness with regard to
    knowledge sharing.
    "We've done a lot of work at universities and teaching hospitals, and
    it's the hardest environment to impose security, because they tend to
    have an open information-sharing model," Langston said. "It makes it
    very difficult to impose restrictions on data: In a teaching
    environment, that's how people learn and extend their knowledge.
    "Even if (the vulnerability) hadn't been exposed through Google, it
    would have been exposed eventually."
    A Google spokesman said the company was aware of the situation, and
    that it provides tools that let webmasters remove inadvertently
    published information from Google's index within about 24 hours. Tools
    that allow for even speedier removal are in the works.
    Removing links after the fact, though, isn't a very elegant solution,
    Lamo said.
    "When your medical records are indexed in Google, something's wrong."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 03:08:52 PST