Google Hacking: Why being a Google dork is hurting your company


This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."

Download it now to read this article plus other related content.

The Ethics of Sharing
Long, a professional pen-tester with Computer Sciences Corp., concedes to a moral dilemma over hosting this type of information on his site. In the end, he says full disclosure wins out.

"People may get affected in a negative way, but open communication fosters more education on all parts," Long says. "Yeah, it helps the bad guys, but after sitting back and watching the discussion unfold about vulnerabilities and whether they should be open, it would be silly to think I'm protecting anyone by sitting on the information."

The GHDB is rolled into a short list of tools that can be modified to automatically run queries against your company's domain. Long has written an open-source tool called Gooscan, which conducts bulk Google searches. Athena is a similar tool that, like Gooscan, is not based on the Google API and is a violation of Google's terms of service. Google has the option of banning a violator's IP range from using its search engine. Other tools like Witko and Foundstone's SiteDigger are based on the Google API and require a license key from Google.

"One of the things we're struggling with is figuring out how public and accessible we make [the GHDB]," Long says. "We're at the point now that we realize there's enough awareness around it. It's high time we start releasing it and making it as open as possible. That was our goal from the beginning--publicize this and raise awareness."

Then there's

    Requires Free Membership to View

the question of whether Google has any responsibility not to disclose information that could imperil businesses--beyond honoring remove requests. A Google representative said the company's job is to bring the Internet to users. He declined further comment.

Long agrees that, while Google may have an opportunity to make a business of alerting companies that are being scanned, it doesn't have a responsibility to do so.

"It's not their data; Google doesn't own the data. It's the responsibility of the [business'] security people to keep their own space in order," Long says.

This was first published in March 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: