[Infowarrior] - Use of Google for Data Triggers Fears

Richard Forno rforno at infowarrior.org
Thu Feb 28 00:47:25 UTC 2008 

Use of Google for Data Triggers Fears
Wednesday February 27, 6:26 pm ET
By Jordan Robertson, AP Technology Writer

http://biz.yahoo.com/ap/080227/techbit_google_hacking.html?.v=4

Automated 'Google Hacking' Software for Unearthing Data on Other Sites
Triggers Security Fears

SAN JOSE, Calif. (AP) -- It's called "Google hacking" -- a slick data-mining
technique used by the Internet's cops and crooks alike to unearth sensitive
material mistakenly posted to public Web sites.

ADVERTISEMENT
And it's just gotten easier, thanks to a program that automates what has
typically been painstaking manual labor. The program's authors say they hope
it will "screw a large Internet search engine and make the Web a safer
place."

Google hacking doesn't mean anyone's hacking Google's Web site. Rather, it
refers to a sophisticated searching technique used to uncover flaws in the
way Web sites handle confidential details, such as public files containing
password and credit card numbers and clues about the vulnerability of the
site's own servers.

It works by examining the hidden recesses of a Web site, areas that have
been indexed by Google but don't pop up in traditional searches. Sometimes
Web sites accidentally post revealing information about themselves, either
because employees mistakenly put confidential documents online, or the site
wasn't properly configured to obscure sensitive areas.

Security experts say Google hacking wouldn't be an issue if Web sites had
proper security safeguards in place.

By looking through Google for evidence of specific types of files used by a
Web site or telling responses from the Web site's servers, hackers can learn
a lot about how the site was built -- and thus how to begin crafting their
attacks.

Although Google hacking has been used for several years by good guys and bad
guys to monitor security, experts caution that the new program, called
Goolag, could tip the balance in favor of criminals.

"It just makes their job that much easier -- in a very short period of time
they can do all these searches for sensitive information," said Ryan
Barnett, director of application security at Breach Security Inc. and a SANS
Institute faculty member.

Google hackers have typically had to enter in detailed Google search strings
by hand, using specially crafted queries to unearth links buried deep in the
list of a site's contents. Google has been able to clamp down on past
attempts to automate the process.

Experts say the new program, on the other hand, appears to work differently,
tricking Google into believing a real person is typing the queries -- in
other words, someone Google would be unlikely to block.

Google declined to comment on Goolag, released by the hacker group Cult of
the Dead Cow.

More information about the Infowarrior mailing list