This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
Google hackers speak a searcher's slang. The following words will help you gab with the Googlers.
Googleturd A search that shouldn't return any results because of a syntax error; or an incorrect query that returns legitimate results.
Googledork An inept person or company whose sensitive information has been revealed by Google.
Advanced operator Special searching techniques offered by Google that enable advanced queries. The syntax of a Google advanced operator is operator:search_term.
NOARCHIVE meta tag A command that prevents Google from including cached links in search results
NOSNIPPET meta tag A command that prevents Google from returning summary information with search results; also prevents Google from caching page
Source: Google Hacking for Penetration Testers by Johnny Long
The risks are substantial if you fall victim to a Google hack. While it's impossible to estimate how many businesses have fallen prey, the potential figure is staggering.
Hackers troll search engines armed with queries that enable them to do everything from network mapping to carrying out the final phases of an actual attack. In recent months, Long says, newly submitted queries to the GHDB have found Web interfaces for VoIP equipment without login or password protection. Another uncovered an interface that would enable you to turn off a business' lights. It's not unusual to find an exposed Linksys router or Cisco VPN Concentrator management interface. Google hacks aren't parlor tricks.
Hackers love Google because it's anonymous; they can do target reconnaissance without anyone knowing. Google caches every page it crawls, ensuring that a copy is stored somewhere, even if the original has long been pulled from your site. The rub is that while the hacker scans a cached page looking at the leftover, forgotten goodies, there isn't a trace of his steps on your server logs. You'll never know your sensitive data wound up in the wrong hands.
Long cautions that making sure a cached page and the original link to a page are no longer referenced is not enough to keep your data from being accessible via a search engine. Security managers need to ensure that the page summary that appears with each result on the main search page is taken away as well. Hackers can use that snippet to reconstruct portions of a Web page you may not want them to see.
"There's a lot of technology around [caching], but it boils down to the same thing. You need to know what you want to get rid of and be proactive about getting it removed," Long says. "It's not just firing off the remove form to Google, but following it up and using the same techniques bad guys use to make sure it's actually gone."
Defending against Google hacks requires not only a process change, but also shifts in cultural attitudes toward security. Sensitive information often falls through the cracks because Web apps are rushed to market without code reviews or pen tests against a Web infrastructure.
This was first published in March 2006