[ISN] Google: A Hacker's Best Friend?

From: InfoSec News (alerts@private)
Date: Mon Jun 25 2007 - 22:12:49 PDT


http://www.forbes.com/security/2007/06/25/google-hack-hacking-tech-security-cx_ag_0625googlehack.html

By Andy Greenberg
Forbes.com
06.25.07

When Johnny Long wants information online, he turns to the same tool as 
most people: Google. But unlike the average Web user, Long isn't usually 
looking for Paris Hilton news and movie reviews. He's digging for credit 
card information, Social Security numbers and other private data stashed 
on corporate servers.

Long isn't a cybercriminal--he just plays one in his day job, as a 
researcher for the IT security firm Computer Sciences (nyse: CSC - news 
- people ). But he is a hacker, one with a talent for innovating new 
ways to penetrate corporate servers, albeit for testing purposes only. 
He's also the author of Google Hacking for Penetration Testers [1], a 
best-selling book that shows how to use seemingly harmless Google 
(nasdaq: GOOG - news - people ) searches to uncover surprisingly 
sensitive information.

Long spoke with Forbes.com about his forthcoming book, a more general 
kind of "Hacking for Dummies" guide to hacking without technical 
knowledge, and the tricky question of whether to publicize hacking 
techniques that require little more than a search engine and two hands.


Forbes.com: What is "Google hacking"?

Long: Google hacking is really just a subset of something I call 
"no-tech hacking." You use un-technological methods to break technology. 
After 10 years of trying, I've discovered a whole pile of ways to do 
that. Dumpster diving (looking in office trash for security 
information); tailgating someone into a secured facility; pretending to 
be a UPS guy or a repair guy or a delivery guy ... these things work 
almost all the time and require very little technical knowledge.


So where does Google come in?

In the beginning, we'd use Google to case the companies we'd be trying 
to penetrate. But we discovered that the Google searches we were running 
were returning more information about the company than they might 
realize. Just by doing a search on a Web site, we'd find a password or 
usernames that would grant us access.

Google hacking grew out of that. You perform a Google search looking for 
sensitive information that either gives direct access to a network, or 
something subtle that could be used in conjunction with other finds.


What kinds of vulnerabilities in Web sites have you found through Google 
hacking?

We have examples where you can put in a Google query and immediately get 
access to part of a site that already has you logged in as an 
administrator. We discovered that just by searching for certain terms, 
you could find personal information like credit card numbers, Social 
Security numbers, anything an attacker would need for identify theft. On 
some education institution sites, we'd find entire Excel spreadsheets 
with students' names, Social Security numbers and even grades. But 
that's low-hanging fruit.


Without getting too technical, what's an example of a more subtle case, 
where you combine Google hacking with more advanced hacking?

For example, Google can help you find where an SQL server is vulnerable. 
SQL is basically the language of databases. Just by putting the right 
terms into a form on the Web, like a registration form on a site, you 
can do something called "SQL injection." Basically, your input into the 
form is confused with SQL code, and that can allow you to read data 
directly from a database, simply by typing into a Web login form.

Google allows you to find those vulnerabilities. If you type "MySQL 
error with query" into Google, some of the results will tell you which 
Web sites have had this error message, and that's the first step to an 
SQL injection. It's a nice way to do reconnaissance. It probes the Web 
very broadly without interacting directly with any target site, so it's 
difficult to detect.


Is Google becoming a more powerful tool for hackers?

Search engine popularity in general has been growing. But more 
importantly, the Web 2.0 movement means that everything is moving out to 
the Web. There's an absolute explosion of corporate and personal 
information out there.


Do you worry about the ethics of publicly discussing these tricks?

It's a huge debate in our industry. There are two camps: One camp says 
that when you talk about vulnerabilities you give bad guys ideas, but 
another camp says that you're helping good guys protect against bad 
guys. In the case of Google hacking, certain queries, like credit card 
queries, are very deadly stuff. So I've never talked about how to do a 
credit card query, though I've talked about the risk. It's a very fine 
line. I have to leave out enough information to avoid getting someone 
into trouble, but give the audience an idea of what's going on. So I 
always try to think about what it would mean to be on the other side of 
getting hacked, and I keep my professional clients in mind.

[1] http://www.amazon.com/exec/obidos/ASIN/1597491764/c4iorg


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 25 2007 - 22:37:53 PDT