In the past we have pointed out how ever more often we can find tons of information on the internet and with the help of Google, such as:
- Google no Cloaking Rule Broken
- Privacy and Satellite Maps – Google Makes it Tougher to Protect Privacy
- Mash-ups and how your privacy may be lost again
Google hacking is the use of a search engine, such as Google, to locate a security vulnerability on the Internet. There are generally two types of vulnerabilities to be found on the Web:
1 software vulnerabilities and
2 misconfigurations.
CyTRAP Labs zero-day alert list – active exploits) or common user misconfiguration and how this might be exploited. Google or other search engines can then be used to simply try to find or scan for systems that have this vulnerability
The Web site below is the starting point for anyone looking to turn Google into a hacker’s tool. At its heart is a repository of sneaky queries called the Google Hacking Database, which got its start more than 8 years ago, when Long posted a few interesting Google queries on the internet.
More interesting web searches on Google that help a hacker find vulnerabble systems or music files can also be found below.
- Google hacking at its finest
CONCLUSION
Any new technology allows for a new attack vector. The big question with Google hacking or Google code search is whether the good guys will discover it first.
Unfortunately, if one is interested in an SQL injection attack, one can use Google hacking techniques to identify Web sites that are vulnerable because they had error messages cached.
HOW IT WORKS
| 4 tips for managing Google hack risks betterApply the concept of – don’t be a low-hanging fruit. | |
| 1 | Make sure your applications do not generate unhandled error messages. For instance, having custom error message-handling replies does help in lowering the chance of finding information regarding error messages using a generic search. |
| 2 | Make sure your directory listing is disabled for all folders. As well, avoid storing lists of URLs in a folder, where a spider can crawl to. |
| 3 | Links to administrative pages should never be placed in a link on a web page. This only encourages the spider to crawl there, and subsequently cache it…. |
| 3 | Make sure your organization uses proper change when it comes to code changing.Having developers comment on previous codes which could still link to certain directories, or containing information about the changes made must be avoided. |
| Google Search Toolbar should not be installed on any corporate PC – by default it records your employees search history — and may reveal information about your intranets and internal networks. |
|
PS 1.Google web history is a great tool until you start combing through your search history and realize you wish you would not have made those search queries after all. Even more so, you wish Google did not catalog every move you made so that your significant other could use it for her personal viewing pleasure.When was the last time you checked your Google Web History track record? If you use the Google Toolbar, the web history is activated by default.
PS. 2
Google Code Search digs through open-source code repositories on the Internet, compiling the large amount of source code available on the Web into an easily searchable database. The tool allows Web surfers to find code that matches certain regular expressions, and searches can be limited to certain file types and licenses.
The above allows an attacker to search for vulnerable code strings. We have pointed out that this can be dangerous because Google Code Search makes it easy to find vulnerable code:
- 2 security – what every programmer needs to know – bookreview
CONCLUSION
The above illustrates that addressing software vulnerabilities and misconfigurations is an important issue that should matter to every security engineer. Without addressing these issues matters to any compliance officer as well.
Considering that with Google’s help these vulnerabilities and misconfiurations could be found by the bad guys and, thereafter exploited….. gives one something to think about. So be warned.
SUBSCRIPTION
To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.