Allow me to show you how to hack into your own Web site. You don’t need any specialized tools, and you don’t need any specialized skills either. All you need is a Web browser and the ability to enter the appropriate search syntax to Google your own site, or anybody else’s for that matter. It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this essay.
The trick is using Google’s search engine to look for specific terms, such as passwords, salary details, and customer details. The opportunities are enormous. Many Web sites contain inherent design flaws that leave them ripe for exploitation.These flaws are not immediately obvious and the fixes are not simple.
It was a fun story to report, and I thought I would take a moment to tell you about things that didn’t make it in there.
First and foremost is an updated version of a great book that O’Reilly has of the same name.
The term really refers to a lot of different things. In my NYT article, I talk about the dark side, about ways that bad guys can uncover sensitive information, or pages that you might not realize are available to the general public. But there are a lot of neat things that you can do with Google that are much more benign and fun, and can really stretch your ability to look for particular information. Here is one that you probably didn’t know about: you can type in “13 miles in kilometers” in Google’s search box and it will do the conversion for you.
Back to the dark side though. I spoke to a lot of different people in law enforcement, and one of the things that struck me during these interviews is how hard it is to prosecute someone who has been using Google to illegally use information. You need to have some tangible, physical evidence and the very nature of the Google hack is that you never leave any footprints on the target site. Still, I was impressed with how technically savvy the police are, at least the ones that I spoke to who understand these issues and aren’t taking these exploits lightly.
While these exploits have been known for many years among the IT community, they aren’t well known for the general business and consumer audience, which is why I wanted to write about them. Some people may say, why give these people the information to cause trouble? In my article, I actually show a sample piece of search syntax that can bring up vulnerable sites, which probably is a first for the Times.
I look at it differently: the bad guys already know about these exploits, and the challenge will be to educate the general population, especially the smaller businesses, that don’t always protect themselves. This isn’t just leaving your back door open, it is putting a 40 foot neon sign out front with a big arrow pointing out that millions of valuables can be found in your top dresser drawer. And the problem intensifies if someone can take over your site and use it to launch their own mischief or worse, illegal activities.
The article mentions two Web sites that are great resources for more technical folks. One is Johnny Long’s site.
Long compiles hundreds of vulnerabilities that have already been indexed by Google, and the site is full of great examples of search terms that you can plug in to find passwords and default configuration pages that will take you to some interesting places.
The other site is OWASP.org. The chair of this industry organization is Jeff Williams. He told me “most Web applications respond to attacks quite happily, without detecting them and without taking any defensive actions. Network security mechanisms like firewalls, intrusion detection, and hardened operating systems can’t detect or prevent these attacks because they don’t know anything about company’s custom application code and how it works. And, unfortunately, the innocent code doesn’t defend itself.”
Speaking of defending yourself, what can you do? First, make sure you are secure. Williams says, “companies that don’t know whether their applications are secure or not should start by verifying a few of them to find out.” And if you have information that you don’t want Google to index, remove it.
Here is some information that Google publishes to show site operators how they can remove their content from the search index.
Second, take security audits seriously, and do them often. Howard Schmidt, the former federal cyber security chief, talks about how you have to do security scans continuously. You can’t just rely on an annual audit, or even a quarterly audit, because sites are organically changing and new exploits are being uncovered every day.
Third, train your developers to be aware of these and other common exploits, and reserve some funding for security assessments as part of all contracting projects you do in the future. Use the sample legal contract language from OWASP.org when you have to hire out for help, and also take a look at their tutorials to harden your site.
Fourth, don’t just think that Google hacks are the only story. There are plenty of other ways to get information from Web sites. Read my white paper for Breach Security about SQL injection if you haven’t already, to see how easy this exploit is.
Finally, keep what Long told me in mind: “Google hacking, cross-site scripting and SQL injection vulnerabilities have been present in every Web site and application I have audited. Every single one. Bear in mind that some Google-hacking style vulnerabilities are more revealing than others, but it is a pervasive threat.”