EXPERT RESPONSE
With Google hacking, an attacker performs Google searches to find evidence of flawed or leaked information from a target website. There are more than 1,000 well-known searches to find such flaws via Google, maintained by Johnny Long in his Google Hacking Database (GHDB). In the past, a lot of Google hacks focused on finding sensitive data: account numbers, credit card numbers or Social Security numbers that financial institutions or retailers carelessly left on their websites. Google crawled and cached the information, making it searchable by anyone in the world. Even after the site removes the sensitive data, it often lives in the Google cache.
Although they are far rarer today than they were five years ago, such information-rich finds of sensitive, personally identifiable information (PII) can still be found via Google searches. Today Web architects are a little more aware of the problem and are slightly more careful. Initiatives like the Payment Card Industry (PCI) standards have helped to increase awareness of these issues and compliance with good security practices regarding credit card numbers. Furthermore, Google is actually policing its own search index, trying to scrape out sensitive information of that kind.
Does that mean that Google hacking is a thing of the past? Hardly; sensitive PII still turns up now and then. What's more, there are a lot of useful searches in the GHDB beyond PII to find vulnerabilities and other information useful to attackers. Here are a few examples:
- PGP keyrings -- With a user's public PGP keyring, an attacker has an idea of who that person communicates with. With the secret keyring (Yes, there are Google searches that will find secret keyrings!) the attacker can download the encrypted private key of a user. The attacker would then have to mount a passphrase guessing attack to decrypt the private key, likely a major undertaking if the user's passphrase is any good. But, with the private key cracked, the attacker could then decrypt the user's email, files and disk, and even forge digital signatures of the user.
- Nessus scan result -- With these files, the attacker doesn't have to bother performing a vulnerability scan of the target, given that he or she can just download the results of the scan done by the target organization's own security personnel.
- Vulnerable PHP scripts -- With a list of these, the attacker can try launching exploits of those scripts at the appropriate site to try to take them over. Google hacking is still an important attack vector today, but it has evolved over the past five years.
For more information:
Contributor Scott Sidel examines Goolag, an open source security tool that assists security pros in finding flaws in websites through Google hacking.
Learn how to prevent Google hacking in this excerpt from Chapter 8: Stalking the Computer of Steal this Computer Book 4.0 by Wallace Wang.
|
