NEWS
Security experts are predicting a massive increase this year in so-called 'Google hacking', where malicious internet users or worms use the search engine to discover resources that are not intended for public consumption.
Last year two high profile worms used Google and other search engines to find potential targets. In August, a MyDoom variant used Google to find email addresses and a few months later the Santy worm found vulnerable bulletin board applications using various search engines. Security experts expect to see a lot more this year and advise enterprises to minimise their exposure to such attacks.
Andrew Collins, security manager in Asia/Pacific for CyberTrust, said that enterprises can avoid many of the potential dangers by ensuring that network resources - such as web cams - are not indexed by search engines.
"We expect to see further automated attacks using Google searches to select potential targets as well as a continuing increase in the discovery of search strings that return unintended information such as error codes, web-based cameras and restricted/private documents and web pages. Network enabled physical security systems, such as web cams and digital video capture systems, should be moved onto private networks that are not addressable from the internet," said Collins.
Gartner analyst Jay Heiser highlighted web cams as a potential danger in a recent advisory. According to Heiser, the web interfaces of network cameras have a default address structure that can easily be found using Google hacking techniques.
"Some of the cameras reached through the search engine are meant to be viewed by the public, but many are not. Keep them up-to-date with patches and use strong passwords. Unpatched cameras have had their configuration or behaviour changed by hackers," said Heiser.
Heiser explained that most search engines look for a file called 'robots.txt', which specifies which areas of a site, if any, can be indexed.
"Using robots.txt and other techniques to prevent indexing is a best practice for non-public systems and the various components supporting public systems. Treat all internet-facing devices - even apparently obscure ones such as network cameras - as relevant to security," said Heiser.
CyberTrust's Collins said that if enterprises think about their security as an entire system rather than the strengths and weaknesses of each individual application and appliance, they will be less vulnerable to attack.
"If an enterprise has invested in a strong security architecture than the threat posed by current Google hacks is minimal," said Collins.
Munir Kotadia writes for ZDNet Australia.
Comments
There are 2 comments. Join the discussion
1. Orv
robots.txt should be used with caution, and never as the sole way of protecting private information. "Polite" search engines like Google will honor it, but others may not. More importantly, anyone can read the robots.txt file, so it can become a map to all the stuff you don't want anyone to see!
2. anonymous
You should NOT rely on robots.txt for security! All it does is say, in effect, "if you are an automatic process, please don't search in the following spots..." Yes, Google obeys it, so your crappy security will be harder to find if the attackers just use Google. But not all spiders obey it, and web spiders aren't the only way to find vulnerabilities. For example, another way is to read your robots.txt file and assume that anything it excludes is likely to be interesting!
So setting up robots.txt without securing a site is like putting a "Keep Out" sign on an unlocked door. Nice people will obey it, crooks will go "hmm, wonder what's behind ... ooh, it's unlocked!"
If you are sufficiently aware of the problem to configure robots.txt, then do the job properly and actually secure your resources.