Google hacking was the big thing back in 2004, I actually did a talk on it in Hack in the Box 2004, it’s resurfaced again as a serious threat with Google noticing more queries relating to things like social security numbers.
The Google Hacking Database has been active for years now and there are hundreds of queries that can bring up juicy information. Goolag was also released this year which gives a much easier, automated way of Google Hacking for specific domains or info.
Search engines such as Google are increasingly being used by hackers against Web applications that hold sensitive data, according to a security expert.
Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from Web sites using targeted search terms, said Amichai Shulman, founder and CTO for database- and application-security company Imperva.
The fact that Social Security numbers are even on the Web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against Web sites, Shulman said.
Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.
It seems like it’s becoming big business on both sides, finding information and vulnerable sites and by gaming Google into dropping pages from the index (Blackhat SEO).
Even with the throttling it’ll still continue, people will find smarter ways to make the queries so it’s not blocked and they’ll build rate limiting into their tools so they don’t get dropped. The bad guys have plenty of patience, trust me on that.
Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.
Tools such as Goolag and Gooscan can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.
“This is no more a script kiddy game — this is a business,” Shulman said. “This is a very powerful hacking capability.”
Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.
“In 2004, this was science fiction,” Shulman said. “In 2008, this is a painful reality.”
Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable Web sites.
As they said, this is not some script kiddy stuff, with the amount of queries going on and the complexity this is some serious business!
Any pen-test or vulnerability assessment should have an information gathering stage and it’s here you should be using Google Hacking techniques and tools to uncover anything on the domain or company infrastructure that shouldn’t be there.
Just be warned that this kind of stuff is on the up, so brief your clients of the dangers and make sure this step is included in the audit.
Source: Network World