Posted on 02/13/2005 12:49:15 PM PST by MississippiMasterpiece
Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.
It's called Google.
The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.
Google Inc. and other search providers create an inventory of the World Wide Web through an automated process that can uncover obscure Web pages not meant for the public.
"If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences Corp. researcher and author of "Google Hacking for Penetration Testers."
Unlike other intrusion techniques, Google hacking doesn't require special software or an extensive knowledge of computer code.
At a recent hackers' conference in Washington, Long demonstrated the eye-opening results of dozens of well-crafted Google searches.
Using Google, identity thieves can easily find credit-card and bank-account numbers, tax returns, and other personal information buried in court documents, expense reports and school Web sites that contain such information.
Google hackers can download Department of Homeland Security threat assessments marked "For Official Use Only."
They can gain control of office printers, Internet phones and other devices controlled through a Web interface -- including electrical power systems.
"One Google query, a couple of buttons, you can actually turn off power to their house," Long said.
Corporate spies can uncover passwords and user names needed to log on to a corporate network, or find poorly configured computers that still use default passwords.
A search for error messages can provide important clues for intruders as well.
One particular Google feature allows users to pull up older versions of a Web page. Such "cached" pages can turn up security holes even after they've been fixed, or allow an intruder to scan a network without leaving a footprint.
It's impossible to tell how often malevolent hackers use Google. But the recent emergence of computer worms that spread using the search engine suggests that Google hacking has been common practice for years, Long said.
"As soon as something gets to the worm phase, it's been in the manual phase for quite some time," he said in an interview with Reuters.
Long said Google should not be blamed for the effectiveness of its search engine, though he said the company could raise the alarm when it notices suspicious activity.
"Google removes content from search results under very limited circumstances," Google spokesman Steve Langdon said in an e-mail message, citing pages that contain child pornography, credit-card numbers and other personal information, or copyrighted material that is used without permission.
Microsoft Corp.'s recent acquisition of several security firms underlines the rising concern about online threats.
As awareness of Google hacking grows, security experts are boning up on search techniques to make sure their systems aren't vulnerable.
Long's Web site has collected more than 1,000 Google searches that can uncover flaws, and free software programs by Foundstone Inc. and SensePost can run those searches automatically.
Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.
"The most practical thing I can tell people is to be fully aware of what their Google presence is. Companies and even individuals should be aware of what they look like through Google," he said.
Oh great. I get those by email, but that's legal...
bttt
Google is a very powerful tool. I got a rude awakening when I typed my real name in there and found all sorts of things about myself. I even found my real name linked to my screen name on Free Republic! So be careful about what you post on the Internet. Chances are your family and co-workers will be able to pull up all your posts here someday!
Bump
LOL ....After googling my name....I'm thinking about changing my name....too many people have the exact SAME name....and I am NOT a Smith, or a Jane or a Cathy.....or a Jones!
Read later ping.
I admit to having more than my share of geeky genes. These are fascinating and/or amusing:
Mechanical Hit Counter:
http://www.embeddedether.net/mhc.html
Contiki OS (Apple II port, among others):
http://www.sics.se/~adam/contiki/ports/
cc65 freeware C compiler for 6502 systems:
http://www.cc65.org/
8-bit (!?!) web server screenshot:
http://www.sics.se/~adam/contiki-img/contiki-eyecandy-webserver.png
Ethernut:
http://www.ethernut.de/en/enut13/index.html
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
