Feature

Google Hacking: Why being a Google dork is hurting your company

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."

Download it now to read this article plus other related content.

Beating Google Hackers

    Requires Free Membership to View

Don't be a Googledork.
Follow these tips to stop suspicious searches:
  1. Restrict open directories on Web servers and ensure you have an index file defined.
  2. Use a robots.txt file to block Web crawlers.
  3. Employ NOARCHIVE and NOSNIPPET meta tags to limit caching and snippets.
  4. Use password protection. Google can't traverse protected Web sites.
  5. Assess yourself. Regularly run Google queries against your organization to see what is available.
  6. Keep Web servers patched.
  7. If you don't want data on the Internet, keep it off your Web servers.
  8. Use Google's online "remove" form to delete search results from its cache.
Sources: Dave Shackleford, Vigilar; John Penrod, The Weather Channel; Google Hacking for Penetration Testers by Johnny Long

So Simple, It's Scary
Johnny Long literally wrote the book on the subject: Google Hacking for Penetration Testers. A white hat, Long created a site (http://johnny.ihackstuff.com/) that hosts the Google Hacking Database (GHDB), a trove of queries that admittedly have value to hackers and pen-testers alike. He says hackers of some repute--like Mark "Simple Nomad" Loveless and Ryan Russell--were among the first to tap search engines. Long's book and dynamic presentations at industry conferences have made Google hacking part of the security lexicon.

"The simple fact is that, if you put a searchable interface on any pile of data, I think bad guys will eventually figure out you can do not-so-nice things with that," Long says.

In part, Google hacking is a misnomer. A large part of it is information gathering, turning Google's extensive search powers loose on an enterprise's vulnerable servers and files, password logs, open directories, Web-based device-management panels, remote desktop protocol clients, and administration interfaces for routers and switches. Intent separates pen-testers from black hats.

The hacks don't always require a lot of sophistication. The right combination of advanced operators--special terms that enable more sophisticated queries--and search terms can open your eyes to enterprise security secrets you'd never believe were readily available on the Internet. It's up to the security manager to make Google hacking part of any penetration test, and to design and implement security policies and procedures that review what data and infrastructure controls are exposed to the Internet.

"If the purpose of your [search] is to gain access to a network and hack into something, security knowledge is going to make or break that. It's not going to be the sort of thing where you stumble through somebody's firewall by using Google," Long says. "If you come in with some knowledge of security, Google is a great tool and will facilitate--for good guys and bad--getting what [you're] after. That's what made this so universal. Techies understand how far reaching this is. Non-techies realize it's something simple."

Long's site contributes to that simplicity. The GHDB is made up of 14 categories of queries and more than 1,200 entries, submitted from a community of hundreds of contributors. The queries run the gamut--they might find error messages that reveal too much about a failed login, or uncover information about online devices like printers and Webcams. Google can also generate much more dangerous results, such as vulnerability data from IDS and firewall logs, or vulnerable Web server versions.

One security expert shed some light on the simplicity of Google hacks: During a short phone call, he showed us how to search Google for remote desktop protocol extensions. Using a particular advanced operator-search term combination, we got 193 results. Clicking on a random return produced a dialogue box asking us if we wanted to open or save the remote desktop. The expert cautioned us not to go further. Had we done so, he said, we likely could have watched someone as they navigated through their desktop.

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: