Monday, July 2, 2007

Google: A Hacker's Best Friend?



When Johnny Long wants information online, he turns to the same tool as most people: Google. But unlike the average Web user, Long isn't usually looking for Paris Hilton news and movie reviews. He's digging for credit card information, Social Security numbers and other private data stashed on corporate servers.

Long isn't a cyber-criminal--he just plays one in his day job, as a researcher for the information technology services company Computer Sciences (nyse: CSC - news - people ). But he is a hacker, one with a talent for innovating new ways to penetrate corporate servers, albeit for testing purposes only. He's also the author of Google Hacking for Penetration Testers, a best-selling book that shows how to use seemingly harmless Google (nasdaq: GOOG - news - people ) searches to uncover surprisingly sensitive information.

Long spoke with Forbes.com about his forthcoming book, a more general kind of "Hacking for Dummies" guide to hacking without technical knowledge, and the tricky question of whether to publicize hacking techniques that require little more than a search engine and two hands.

Forbes: What is "Google hacking"?

Long: Google hacking is really just a subset of something I call "no-tech hacking." You use un-technological methods to break technology. After 10 years of trying, I've discovered a whole pile of ways to do that. Dumpster diving (looking in office trash for security information); tailgating someone into a secured facility; pretending to be a UPS guy or a repair guy or a delivery guy ... these things work almost all the time and require very little technical knowledge.

So where does Google come in?

In the beginning, we'd use Google to case the companies we'd be trying to penetrate. But we discovered that the Google searches we were running were returning more information about the company than they might realize. Just by doing a search on a Web site, we'd find a password or usernames that would grant us access.

Google hacking grew out of that. You perform a Google search looking for sensitive information that either gives direct access to a network, or something subtle that could be used in conjunction with other finds.

What kinds of vulnerabilities in Web sites have you found through Google hacking?

We have examples where you can put in a Google query and immediately get access to part of a site that already has you logged in as an administrator. We discovered that just by searching for certain terms, you could find personal information like credit card numbers, Social Security numbers, anything an attacker would need for identify theft. On some education institution sites, we'd find entire Excel spreadsheets with students' names, Social Security numbers and even grades. But that's low-hanging fruit.

Without getting too technical, what's an example of a more subtle case, where you combine Google hacking with more advanced hacking?

For example, Google can help you find where an SQL server is vulnerable. SQL is basically the language of databases. Just by putting the right terms into a form on the Web, like a registration form on a site, you can do something called "SQL injection." Basically, your input into the form is confused with SQL code, and that can allow you to read data directly from a database, simply by typing into a Web login form.

Google allows you to find those vulnerabilities. If you type "MySQL error with query" into Google, some of the results will tell you which Web sites have had this error message, and that's the first step to an SQL injection. It's a nice way to do reconnaissance. It probes the Web very broadly without interacting directly with any target site, so it's difficult to detect.

Is Google becoming a more powerful tool for hackers?

Search engine popularity in general has been growing. But more importantly, the Web 2.0 movement means that everything is moving out to the Web. There's an absolute explosion of corporate and personal information out there.

Do you worry about the ethics of publicly discussing these tricks?

It's a huge debate in our industry. There are two camps: One camp says that when you talk about vulnerabilities you give bad guys ideas, but another camp says that you're helping good guys protect against bad guys. In the case of Google hacking, certain queries, like credit card queries, are very deadly stuff. So I've never talked about how to do a credit card query, though I've talked about the risk. It's a very fine line. I have to leave out enough information to avoid getting someone into trouble, but give the audience an idea of what's going on. So I always try to think about what it would mean to be on the other side of getting hacked, and I keep my professional clients in mind.

Source

No comments: