The ease with which a well-constructed search query can dredge up troves of passwords, corporate documents or gigabytes of MP3s isn’t likely to surprise a security manager. Yet, there are very few enterprise security organizations that dedicate resources to search engine hacking, or Google hacking as it’s more commonly known.
We’re trying to make it as easy as possible with a set of defensive tools that you can set up once, and forget about it.
Fran Brown, security researcher, Stach and Liu
Granted, Google has made the practice more of a chore in recent years by turning off a SOAP-based search API that was the backbone of many automated Google hacking tools. It also will soon retire a similar AJAX API in favor of a new JSON/Atom-based custom search API, throwing a wrench into the use of any recently developed Google hacking tools.
In response, two researchers with security consulting and services firm Stach and Liu will release more than 20 new Google hacking tools, including customized alerts, that security teams can turn on their specific domains and perform real-time queries against sites as soon as Google and other search engines index them.
The tools will be released next week at the 2011 Black Hat Briefings in Las Vegas. Fran Brown and Rob Ragan’s Pulp Hacking session will be a follow up to last year’s Lord of the Bing session, where the two released and did demos on their Google Diggity and Bing Diggity search tools.
This year’s follow-up is an extension of these defensive tools, which security organizations can use to determine if websites are leaking corporate or customer data, or if there are critical vulnerabilities present, such as SQL injection.
“Historically, organizations devote absolutely no resources to Google hacking,” Brown said. “I ask attendees in our talks all the time and maybe one person says it once a year, even then, I don’t believe them. It’s been so inconvenient historically that they don’t do it. We’re trying to make it as easy as possible with a set of defensive tools that you can set up once, and forget about it.”
Researchers, including Brown and Ragan, have speculated that the recent attack on Groupon India subsidiary Sosasta.com, which exposed more than 300,000 user names and passwords, may have had its genesis in a simple Google hack. Some of the LulzSec and Anonymous hacks, such as the one against HBGary Federal CEO Aaron Barr, could also have started as Google hacks, Brown said. In addition, most of the victims in recent mass SQL injection attacks, including one in 2010 that hit among other high-profile targets, the Wall Street Journal and Jerusalem Post, were likely culled via Google searches designed to find sites vulnerable to SQL injection.
“How else would you find four million websites ready to inject at the drop of a hat? My belief is it’s done through Google hacking,” Brown said. “I think that’s what people are doing.”
At Black Hat 2011 Brown and Ragan plan to provide details and demos on up to 20 new tools including, defensive tools that establish an RSS feed of alerts on possible vulnerabilities and data leaks on websites as soon as they’re indexed by a search engine. The tools can be deployed on Windows desktops or Droid and iPhone mobile devices.
Also expected to be released is Baidu Diggity, which targets Chinese search engine Baidu with automated Google-hack type searches. SHODAN Diggity is another that scans for SCADA vulnerabilities and will also be integrated into the RSS alert tool
A similar tool for Flash vulnerabilities, called Flash Diggity, enables an organization audit flaws exposed by Google, Brown said. DLP Diggity is a similar application that will crawl for Microsoft Office and PDF documents online looking for exposed Social Security or credit card numbers.
Each tool is customizable so an organization could specifiy domains or IP ranges to be searched, Brown said.
“The alert tools are really cool and I’m most excited about them,” Brown said. “I’m excited to see where they go.”