This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
|Beating Google Hackers|
Don't be a Googledork.
Follow these tips to stop suspicious searches:
Johnny Long literally wrote the book on the subject: Google Hacking for Penetration Testers. A white hat, Long created a site (http://johnny.ihackstuff.com/) that hosts the Google Hacking Database (GHDB), a trove of queries that admittedly have value to hackers and pen-testers alike. He says hackers of some repute--like Mark "Simple Nomad" Loveless and Ryan Russell--were among the first to tap search engines. Long's book and dynamic presentations at industry conferences have made Google hacking part of the security lexicon.
"The simple fact is that, if you put a searchable interface on any pile of data, I think bad guys will eventually figure out you can do not-so-nice things with that," Long says.
In part, Google hacking is a misnomer. A large part of it is information gathering, turning Google's extensive search powers loose on an enterprise's vulnerable servers and files, password logs, open directories, Web-based device-management panels, remote desktop protocol clients, and administration interfaces for routers and switches. Intent separates pen-testers from black hats.
The hacks don't always require a lot of sophistication. The right combination of advanced operators--special terms that enable more sophisticated queries--and search terms can open your eyes to enterprise security secrets you'd never believe were readily available on the Internet. It's up to the security manager to make Google hacking part of any penetration test, and to design and implement security policies and procedures that review what data and infrastructure controls are exposed to the Internet.
"If the purpose of your [search] is to gain access to a network and hack into something, security knowledge is going to make or break that. It's not going to be the sort of thing where you stumble through somebody's firewall by using Google," Long says. "If you come in with some knowledge of security, Google is a great tool and will facilitate--for good guys and bad--getting what [you're] after. That's what made this so universal. Techies understand how far reaching this is. Non-techies realize it's something simple."
Long's site contributes to that simplicity. The GHDB is made up of 14 categories of queries and more than 1,200 entries, submitted from a community of hundreds of contributors. The queries run the gamut--they might find error messages that reveal too much about a failed login, or uncover information about online devices like printers and Webcams. Google can also generate much more dangerous results, such as vulnerability data from IDS and firewall logs, or vulnerable Web server versions.
One security expert shed some light on the simplicity of Google hacks: During a short phone call, he showed us how to search Google for remote desktop protocol extensions. Using a particular advanced operator-search term combination, we got 193 results. Clicking on a random return produced a dialogue box asking us if we wanted to open or save the remote desktop. The expert cautioned us not to go further. Had we done so, he said, we likely could have watched someone as they navigated through their desktop.
This was first published in March 2006