By Robert Lemos, 30 July 2004 08:55
NEWS Google, the world's most popular search engine, is one of the handiest tools for hackers, according to one security expert.
Google's ability to record internet sites' content can be used to pinpoint those with weak security, Johnny Long, a security researcher and computer scientist for Computer Security Corp. told attendees at the Black Hat Security Briefings. Though the technique is not new, well-crafted searches turned up so many sites with vulnerabilities that even jaded researchers laughed during the session.
"It is an old dog with new tricks," Long said. "It never ceases to amaze people, all the vulnerabilities out there."
By searching for default server page titles, for example, an attacker can find easily exploitable servers. Applications left in default modes can also be found by searching for error pages generated by the software. And searching for specific file names can pinpoint vulnerable servers connected to the internet.
"It is the first step to finding vulnerable targets," Long said.
A simple search for the log-in page of Microsoft's web server software, the internet Information Server, turned up 11,300 sites on the internet that exposed the page to the public. Gathering log-in information for poorly configured databases is also easy, he said.
The exploitation of Google's in-depth searching capabilities underscores how software with no malicious motive can be used to help online intruders. The recent MyDoom.O virus hammered Google and other search engines with searches from infected PCs for additional email addresses to which the program could send itself. Security researchers have also theorised that Google and other search engines could be used as a carrier of malicious code.
"I only use Google to find vulnerable servers," said Tim Mullin, security specialist for accounting-software maker Anchor IS. Mullin said other search engines don't have the advanced search option available on Google and don't cache old versions of Web sites. "Not only can I see what exists now, but I can see what the website looked like before."
A Google representative could not immediately comment, citing Securities and Exchange Commission regulations regarding the quiet period before a public offering.
For most, the depth of Google searches is just one more potential threat to worry about.
"It's not revolutionising anything that people are doing now," Long said. "It is just adding another attack vector."
Robert Lemos writes for News.com
Comments
There are 9 comments. Join the discussion
1. anonymous
Here we have a group of guys who developed somthing great and it is comming under attack, with claims that it is a "hackers tool". This is pathetic.
Google is as good at fighting the Hackers as it is at helping them.
In one case, Security analysts were looking for a hacker who broke into their system and left his handle. It was as simple as typing that handle into Google, where they found his personal webpage and other information that lead to his arrest.
Dont bash Google, Google is your friend!
2. I hate Dell
Its a good thing if Google highlights these security flaws as the system admins shouldnt have been so lazy in the first place and left everything as standard. Now they can get off their fat asses and sort it out!
3. Jon
I have to admit, we have used Google to track down users of our software who failed to set it up correctly.
We then contact them and advise/carry out the mods required.
It was also via Google that we bacame aware users were not setting the correct permissions, having conducted a search for our software and finding a chat page with a comment posted.
4. Aenox
Google is NOBODYs friend. It tracks and monitors you like there is no tomorrow, especially with the new Gmail service. Disable cookies, use a proxy or avoid google.
5. Mayuresh Kadu
yes, thats like blaming the writer of "ping" for aiding hacking :))
6. Joe Whitehead
News: Today, Microsoft apologized for putting Dial-Up-Networking in its Windows series of products, since it can used to hack other people's PCs.
(;
Wow, I'm being sarcastic, but it's true that you can say that something helps people do bad things, no matter how useful to society it is... Actually, the more useful to me, the more useful to someone wanting to harm me. :P
7. H C Grant
I understand that in the hacker world, you should be using the word "cracker" for this type of activity or do we now have "good" hackers and "bad" hackers? BTW for your next headline.... "Do screwdrivers increase the number of burglaries?"
8. Technical Thug
So, another security 'researcher' wants to hype his company by pointing out the glaringly obvious (Google provides information about other websites on the internet. Surprise!).
And this is apparently news. Very poor. Must try harder.
9. Bonnie Sawyer
I would like to respond to, "It's not revolutionising anything that people are doing now," Long said. "It is just adding another attack vector."
I disagree. Google is not the hacker's best friend. It is the school childs' best friend, the interested persons' best friend, and a researchers' best friend. It is revolutionizing what people are doing. I was able to find information to help my father, in sick and desperate times, find comforts for his many ailments that his weekend resident intern doctors didn't even know by using google. That is just an example of the use it provides to people! Remember hearing about the person over in Iraq who was allowed to go free from their captors when google provided and confirmed who the person was as a journalist? To further summarize, a hacker is just that - a hacker. They have always been around and will use any means to do their deeds: from the start when mainframes ruled, and into the future, there will always be hackers and they will use what there is to be used. Do not poise to demonize Google when it is a wonderful and useful tool. In today's world, the focus should be on people protecting their servers against vunerabilities (duh) and using software that is secure (better get with it Gates, Linux is Looming!) Focusing on a meer means to the end which is means for many other wonderful things is ludicrous and distractionary.