| Author |
Message |
HAL 9000
Guest
|
 Posted:
Wed Aug 03, 2005 3:19 pm Post subject:
Black Hat: Google now a hacker's tool |
|
|
AUGUST 02, 2005 (IDG NEWS SERVICE) News Story by Robert McMillan
Somewhere out on the Internet, an electric bong may be in danger. The
threat: a well-crafted Google query that could allow a hacker to use
Google Inc.'s massive database as a resource for intrusion.
"Electric bong" was one of a number of household devices that security
researcher Johnny Long came across when he found an unprotected Web
interface to someone's household electrical network. To the right of
each item were two control buttons, one labelled "on," the other,
"off."
Long, a researcher at Computer Sciences Corp. and author of the book,
Google Hacking for Penetration Testers (Syngress, 2004), was able to
find the electric bong simply because Google contains a lot of
information that wasn't intended to lie unexposed on the Web. The
problem, he said at the Black Hat USA conference in Las Vegas last
week, lies not with Google itself but with the fact that users often
don't realize what Google's powerful search engine has been able to
dig up.
In addition to power systems, Long and other researchers were able to
find unsecured Web interfaces that gave them control over a wide
variety of devices, including printer networks, private branch
exchange enterprise phone systems, routers, Web cameras and, of
course, Web sites themselves. All can be uncovered using Google, Long
said.
But the effectiveness of Google as a hacking tool doesn't end there.
It can also be used as a kind of proxy service for hackers, Long said.
Although security software can identify when an attacker is performing
reconnaissance work on a company's network, attackers can find network
topology information on Google instead of snooping for it on the
network they're studying, he said. This makes it harder for the
network's administrators to block the attacker. "The target does not
see us crawling their sites and getting information," he said.
Often, this kind of information comes in the form of apparently
nonsensical information -- something that Long called "Google turds."
For example, because there is no such thing as a Web site with the URL
"nasa," a Google search for the query "site:nasa" should turn up zero
results. instead, it turns up what appears to be a list of servers,
offering an insight into the structure of the National Aeronautics and
Space Administration's internal network, Long said.
Combining well-structured Google queries with text-processing tools
can yield things like SQL passwords and even SQL error information.
This could then be used to structure what's known as a SQL injection
attack, which can be used to run unauthorized commands on a SQL
database. "This is where it becomes Google hacking," he said. "You can
do a SQL injection, or you can do a Google query and find the same
thing."
Although Google traditionally hasn't concerned itself with the
security implications of its massive data store, the fact that it has
been an unwitting participant in some worm attacks has the company's
search engine now rejecting some queries for security reasons, Long
said. "Recently, they've stepped into the game."
http://www.computerworld.com/printthis/2005/0,4814,103629,00.html
http://www.computerworld.com/securitytopics/security/story/0,10801,103629,00.html |
|
| Back to top |
|
 |
Jim
Guest
|
| Posted:
Wed Aug 03, 2005 4:15 pm Post subject:
Re: Black Hat: Google now a hacker's tool |
|
|
Interesting:
http://www.google.com/search?num=100&hl=en&lr=&c2coff=1&rls=GGLG%2CGGLG%3A2005-29%2CGGLG%3Aen&q=site%3Agoogle
"HAL 9000" <hal9k@doubleclick.net> wrote in message
news:11f16lmr6igkt80@corp.supernews.com...
| Quote: |
AUGUST 02, 2005 (IDG NEWS SERVICE) News Story by Robert McMillan
Somewhere out on the Internet, an electric bong may be in danger. The
threat: a well-crafted Google query that could allow a hacker to use
Google Inc.'s massive database as a resource for intrusion.
"Electric bong" was one of a number of household devices that security
researcher Johnny Long came across when he found an unprotected Web
interface to someone's household electrical network. To the right of
each item were two control buttons, one labelled "on," the other,
"off."
Long, a researcher at Computer Sciences Corp. and author of the book,
Google Hacking for Penetration Testers (Syngress, 2004), was able to
find the electric bong simply because Google contains a lot of
information that wasn't intended to lie unexposed on the Web. The
problem, he said at the Black Hat USA conference in Las Vegas last
week, lies not with Google itself but with the fact that users often
don't realize what Google's powerful search engine has been able to
dig up.
In addition to power systems, Long and other researchers were able to
find unsecured Web interfaces that gave them control over a wide
variety of devices, including printer networks, private branch
exchange enterprise phone systems, routers, Web cameras and, of
course, Web sites themselves. All can be uncovered using Google, Long
said.
But the effectiveness of Google as a hacking tool doesn't end there.
It can also be used as a kind of proxy service for hackers, Long said.
Although security software can identify when an attacker is performing
reconnaissance work on a company's network, attackers can find network
topology information on Google instead of snooping for it on the
network they're studying, he said. This makes it harder for the
network's administrators to block the attacker. "The target does not
see us crawling their sites and getting information," he said.
Often, this kind of information comes in the form of apparently
nonsensical information -- something that Long called "Google turds."
For example, because there is no such thing as a Web site with the URL
"nasa," a Google search for the query "site:nasa" should turn up zero
results. instead, it turns up what appears to be a list of servers,
offering an insight into the structure of the National Aeronautics and
Space Administration's internal network, Long said.
Combining well-structured Google queries with text-processing tools
can yield things like SQL passwords and even SQL error information.
This could then be used to structure what's known as a SQL injection
attack, which can be used to run unauthorized commands on a SQL
database. "This is where it becomes Google hacking," he said. "You can
do a SQL injection, or you can do a Google query and find the same
thing."
Although Google traditionally hasn't concerned itself with the
security implications of its massive data store, the fact that it has
been an unwitting participant in some worm attacks has the company's
search engine now rejecting some queries for security reasons, Long
said. "Recently, they've stepped into the game."
http://www.computerworld.com/printthis/2005/0,4814,103629,00.html
http://www.computerworld.com/securitytopics/security/story/0,10801,103629,00.html
|
|
|
| Back to top |
|
|
Jim
Guest
|
|
| Back to top |
|
|
Guy Macon
Guest
|
|
| Back to top |
|
|
JeffM
Guest
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in