Google Eyes

The search engine Google has achieved such ubiquity that it's already become a verb. Who hasn't googled an old friend, high-school flame, or job applicant? But its success has a dark side: It has become a chief source of information for hackers and virus writers who have learned how to use the search engine to dig up information that Web sites did not intend to make public.

The root of the problem is the way Google works. It sends a "WebBot" through sites; the bot follows links and indexes them. The search engine is extremely efficient, "including mapping out some pages that you would not expect to have access to," says Brian Serra, senior security consultant with Forsythe Solutions Group, an infrastructure technology provider. For example, files containing lists of passwords might be revealed, thus providing easy pickings for attackers.

Johnny Long, a security expert and ethical hacker with Computer Sciences Corporation, recently released The Google Hacker's Guide: Understanding and Defending Against the Google Hacker to instruct the security community in the ways that Google is being used as a hacking tool. The paper, written in language that can be understood by anyone who's ever used the search engine, explains the site's "advanced operators" that refine searches and provide information to potential attackers.

For example, the "site" operator--such as "site:securitymanagement.com"

--will reveal every page on a Web site, including error messages that could reveal critical information about network hardware and software. Long, who calls searches for improperly exposed information "googledorks," says that his intent is to get people to try them on their own sites. "If you have a Web site, the best thing you can do is sit down with Google and get an idea of what Google knows about your site," he says.

A paper by security company Imperva titled Web Application Worms: Myth or Reality gives this practice another name: war searching.

War searchers might, for example, search for the phrase "index of /etc" along with the term "passwd." Many of the links could include unprotected, or easily cracked, password files. The paper points out that when using this method "almost every result yields a vulnerable site." A traditional worm, on the other hand, looks randomly for targets, meaning that it would take millions of failed attempts to find the same number of vulnerable sites found by using Google first.

So what should companies be doing to keep themselves secure from Google-related attacks? Serra says that googling proactively is an important part of a good defense, as is the use of an instruction file called robots.txt that gives Web bots specific instructions as to what files may or may not be indexed. This is simply an "honor-system" defense that could be defeated by a malicious search engine, notes Joe Stewart, senior security researcher at managed security services provider LURHQ, but it should apply to Google searches.

Long says that he is contributing to a new tool that security professionals can use to run against their sites. It will run through the pages that Google has indexed on a site and "look for known bad things," such as files with potentially exploitable data like passwords, from a database he's compiled.

"The best idea is to keep Web applications out of reach of search spiders through the use of user authentication where possible," such as name and password, Stewart says. This could ensure that confidential information is kept safe from Google eyes.

@ Link to these papers and the tool by visiting SM Online.