Plugged In: "Google Hacking" Digs Up Sensitive Material

Reuters ^ | February 13, 2005 | Andy Sullivan

[MississippiMasterpiece]

Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.

It's called Google.

The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.

Google Inc. and other search providers create an inventory of the World Wide Web through an automated process that can uncover obscure Web pages not meant for the public.

"If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences Corp. researcher and author of "Google Hacking for Penetration Testers."

Unlike other intrusion techniques, Google hacking doesn't require special software or an extensive knowledge of computer code.

At a recent hackers' conference in Washington, Long demonstrated the eye-opening results of dozens of well-crafted Google searches.

Using Google, identity thieves can easily find credit-card and bank-account numbers, tax returns, and other personal information buried in court documents, expense reports and school Web sites that contain such information.

Google hackers can download Department of Homeland Security threat assessments marked "For Official Use Only."

They can gain control of office printers, Internet phones and other devices controlled through a Web interface -- including electrical power systems.

"One Google query, a couple of buttons, you can actually turn off power to their house," Long said.

Corporate spies can uncover passwords and user names needed to log on to a corporate network, or find poorly configured computers that still use default passwords.

A search for error messages can provide important clues for intruders as well.

One particular Google feature allows users to pull up older versions of a Web page. Such "cached" pages can turn up security holes even after they've been fixed, or allow an intruder to scan a network without leaving a footprint.

It's impossible to tell how often malevolent hackers use Google. But the recent emergence of computer worms that spread using the search engine suggests that Google hacking has been common practice for years, Long said.

"As soon as something gets to the worm phase, it's been in the manual phase for quite some time," he said in an interview with Reuters.

Long said Google should not be blamed for the effectiveness of its search engine, though he said the company could raise the alarm when it notices suspicious activity.

"Google removes content from search results under very limited circumstances," Google spokesman Steve Langdon said in an e-mail message, citing pages that contain child pornography, credit-card numbers and other personal information, or copyrighted material that is used without permission.

Microsoft Corp.'s recent acquisition of several security firms underlines the rising concern about online threats.

As awareness of Google hacking grows, security experts are boning up on search techniques to make sure their systems aren't vulnerable.

Long's Web site has collected more than 1,000 Google searches that can uncover flaws, and free software programs by Foundstone Inc. and SensePost can run those searches automatically.

Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.

"The most practical thing I can tell people is to be fully aware of what their Google presence is. Companies and even individuals should be aware of what they look like through Google," he said.

[anniegetyourgun]

Yikes!

[demlosers]

Yes, Google search bots can find out a lot.

[coloradan]

One Google search, a couple of buttons - can we turn off Reuters?

[JoJo Gunn]

ping

[tioga]

better yet, shut down du?

[sure_fine]

just did this morning skim though a book at Barnes*Nobles


Google Hacking, alot of scripts to copy and setup

[montag813]

Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.

Can someone please explain how to do this.

[bahblahbah]

For instance, go to google and type "site:google.com" and that shows you all the pages google has used its spider on IIRC.

Another trick you can use if a webpage doesn't load is to type "cache:somewebsite.com/blah/blah/blah.html" and that would bring up that webpage.

[demlosers]

To ensure your web site(s) are not showing more than you want it/them to show to the Internet Googling public.

[dufekin]

Let us say that you want every web page on Free Republic.

(1) Go to http://www.google.com

(2) Type "site:freerepublic.com" into the box

(3) Press "Google search" button

(4) See 2,800,000 web pages listed (apparently in no particular order)

[Fresh Wind]

Bots such as Google are supposed to respect the directives contained in a simple text file "robots.txt" located in the home directory of a website. Every web site SHOULD have one of these. This file instructs bots to ignore specific directories. For example, here is Free Republic's robots.txt file (no hacking required to see it):

User-agent: *
Disallow: /perl/
Disallow: /search/
Disallow: /focus/f-news/search
Disallow: /focus/keywords

It tells all bots to stay out of the listed directories. Well behaved bots (Google et al) will respect this file. Others may not.

[southland]

ping

[demlosers]

Google hackers can download Department of Homeland Security threat assessments marked "For Official Use Only."

The compilation of possible security incidents across the United States in police blotter form. Here it is on-line for the world to see:

http://cryptome.org/hsomb/hsomb.htm

[jslade]

better yet, shut down du?

Naw, let's keep them around. The DUmmies are too entertaining.

[demlosers]

-snip-

"Homeland Security Operations Morning Brief
11 January 2005

NOTICE: This document may contain initial and preliminary reporting which may or may not be accurate or be supported by corroborative information. The HSOC is actively evaluating the reporting to establish its accuracy and to determine if it represents a possible link to terrorism. If recipients have any additional or clarifying information, please contact the Homeland Security Operations Center Senior Watch Officer (HSOC SWO) at (202) 282-8101

1. (FOUO) NEW YORK/TURKEY: No-Fly Listee Aboard Aircraft. According to TSA reporting, on 9 January, at JFK airport, Turkish citizen Kursheed BEGUM boarded a Turkish Air flight bound for Istanbul. NTC confirmed that BEGUM was a positive match for the No-Fly list. There were no Air Marshals, VIP’s or high-value cargo on the aircraft. Authorities determined BEGUM was not a threat and removed her from the No-Fly list.(TSA e-mail, 10 January 05; HSOC 0097-05)

-snip-

3. (FOUO) CALIFORNIA / PANAMA: Refusal of Admission on Terrorist Organizational Ties. According to CBP reporting, on 8 January, Los Angeles Airport (LAX) CBP reported that Venezuela national Ali Hachem DAHROUGE (DOB: 11181974), arriving from Panama was an exact TIPOFF match. DAHROUGE was traveling with his brother Colombian national Wisal Chakib Hachem HACHEM (DOB: 05241974). Additional CBP information revealed that DAHROUGE is likely to engage in terrorist activities, and is a member of a foreign terrorist organization. HACHEM has an association with a terrorist organization. FBI and ICE interviewed the subjects and recommended that they not be allowed into the United States. Both were allowed to withdraw their application for admission, and will be returned to Panama on 13 January. (BTS Daily Operations Report, 13 Jan 05, HSOC 0160-05)

-snip-

2. (FOUO) MARYLAND: Agents Search Home of Man Suspected of Illegally Exporting Military Items to China and Iraq. According to ICE reporting, on 11 January, Washington, DC ICE Agents executed a search warrant at the Potomac residence of a named Polish national and lawful U.S. permanent resident. Agents recovered documents, a computer, and a firearm from the residence. The subject is under investigation for violations of the Arms Export Control Act (AECA) relating to alleged illegal exports of military items to the People’s Republic of China and Iraq. He is currently in custody for immigration violations relating to a prior felony conviction. (ICE Daily Summary of Operational Report, 13 Jan 05; HSOC 0183-05-05)"


Has someone checked the Clintonites' houses too. *snicker*

Interesting to read.

http://cryptome.org/hsomb/hsomb.htm

[MississippiMan]

If you want to see a pretty comprehensive list of easy Google hacks, click here. You can take control of webcams, printers, routers, all manner of stuff. Do note that unauthorized use of such resources may well be illegal, so I recommend that you don't do it, but it's still an eye-opener to just look at the list of things that CAN be done.

MM

[lepton]

bump

[RhoTheta]

Web Security ping!

[Splatter]

I had a company repeatedly call my home phone using an auto-dialer. Using caller ID, google, and few other tracing techniques, I locate the company name and employee. The fax/auto-dialer was located at her home. Within an hour I had found her name, home address, home phone, cell phone, fax number and voice mail.

Then the fun began (EG). Needless to say, the called promptly stopped.