Source : vunet
Google hacking evolves into automated tool
Malware authors are increasingly starting to create digital pests that use the Google search engine to find their next victim.
The automated vulnerability detection is the latest trend in a technique that is know as "Google hacking", McAfee's senior vice president for Risk Management George Kurtz told vnunet.com after a presentation about the phenomenon at the RSA Security conference in San Jose.
The Santy.a worm for instance was targeting a known vulnerability in some versions of phpBB to deface websits. It found its victims through an automated Google search query. Google eventually stopped the worm from spreading by blocking all searches that would turn up servers running the application. But the search engine will only be able to detect the abuse if the queries stand out between from the other searches.
Google hacking doesn't involve breaking in on Google servers but instead is used to describe a technique where online criminals use search engines to find sensitive information on the internet. Hackers have used search engines to assist in break-ins evers since the creation of online search.
During a series of demonstrations, Kurtz showed how fairly straightforward queries will bring up user names and passwords as well sensitive information such as social security numbers.
Some users for instance will put log files for vulnerability scans on their websites. The report is an open invitation for online criminals to exploit those vulnerabilities.
"Could you automate this any more? The bar to break into these systems is so low now, that any monkey that punches this code into Google can get this information back," Kurtz noted.
"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them."
Users should adopt policies regulating the information that they put up on their websites and periodically audit their systems using tools such as GooScan or Site Digger, a free tool from Foundstone, a McAfee subsidiary.
Google isn't to blame for the information disclosure, Kurtz argued. The company is merely providing the tools, similar to a gun maker providing a weapon but not pulling the trigger.
Pictures and screenshots are posted on Silicon Valley Sleuth.
Google hacking evolves into automated tool
Malware authors are increasingly starting to create digital pests that use the Google search engine to find their next victim.
The automated vulnerability detection is the latest trend in a technique that is know as "Google hacking", McAfee's senior vice president for Risk Management George Kurtz told vnunet.com after a presentation about the phenomenon at the RSA Security conference in San Jose.
The Santy.a worm for instance was targeting a known vulnerability in some versions of phpBB to deface websits. It found its victims through an automated Google search query. Google eventually stopped the worm from spreading by blocking all searches that would turn up servers running the application. But the search engine will only be able to detect the abuse if the queries stand out between from the other searches.
Google hacking doesn't involve breaking in on Google servers but instead is used to describe a technique where online criminals use search engines to find sensitive information on the internet. Hackers have used search engines to assist in break-ins evers since the creation of online search.
During a series of demonstrations, Kurtz showed how fairly straightforward queries will bring up user names and passwords as well sensitive information such as social security numbers.
Some users for instance will put log files for vulnerability scans on their websites. The report is an open invitation for online criminals to exploit those vulnerabilities.
"Could you automate this any more? The bar to break into these systems is so low now, that any monkey that punches this code into Google can get this information back," Kurtz noted.
"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them."
Users should adopt policies regulating the information that they put up on their websites and periodically audit their systems using tools such as GooScan or Site Digger, a free tool from Foundstone, a McAfee subsidiary.
Google isn't to blame for the information disclosure, Kurtz argued. The company is merely providing the tools, similar to a gun maker providing a weapon but not pulling the trigger.
Pictures and screenshots are posted on Silicon Valley Sleuth.