February 11, 2009 3:22 PM
- Text
"Google Hacking" Raises Security Fears
generic youtube internet video boradcast broadband viral global world network media (CBS/iStockphoto)
(AP)
It's called "Google hacking" - a slick data-mining technique used by the Internet's cops and crooks alike to unearth sensitive material mistakenly posted to public Web sites.
And it's just gotten easier, thanks to a program that automates what has typically been painstaking manual labor. The program's authors say they hope it will "screw a large Internet search engine and make the Web a safer place."
Google hacking doesn't mean anyone's hacking Google's Web site. Rather, it refers to a sophisticated searching technique used to uncover flaws in the way Web sites handle confidential details, such as public files containing password and credit card numbers and clues about the vulnerability of the site's own servers.
It works by examining the hidden recesses of a Web site, areas that have been indexed by Google but don't pop up in traditional searches. Sometimes Web sites accidentally post revealing information about themselves, either because employees mistakenly put confidential documents online, or the site wasn't properly configured to obscure sensitive areas.
Security experts say Google hacking wouldn't be an issue if Web sites had proper security safeguards in place.
By looking through Google for evidence of specific types of files used by a Web site or telling responses from the Web site's servers, hackers can learn a lot about how the site was built - and thus how to begin crafting their attacks.
Although Google hacking has been used for several years by good guys and bad guys to monitor security, experts caution that the new program, called Goolag, could tip the balance in favor of criminals.
"It just makes their job that much easier - in a very short period of time they can do all these searches for sensitive information," said Ryan Barnett, director of application security at Breach Security Inc. and a SANS Institute faculty member.
Google hackers have typically had to enter in detailed Google search strings by hand, using specially crafted queries to unearth links buried deep in the list of a site's contents. Google has been able to clamp down on past attempts to automate the process.
Experts say the new program, on the other hand, appears to work differently, tricking Google into believing a real person is typing the queries - in other words, someone Google would be unlikely to block.
Google declined to comment on Goolag, released by the hacker group Cult of the Dead Cow.
And it's just gotten easier, thanks to a program that automates what has typically been painstaking manual labor. The program's authors say they hope it will "screw a large Internet search engine and make the Web a safer place."
Google hacking doesn't mean anyone's hacking Google's Web site. Rather, it refers to a sophisticated searching technique used to uncover flaws in the way Web sites handle confidential details, such as public files containing password and credit card numbers and clues about the vulnerability of the site's own servers.
It works by examining the hidden recesses of a Web site, areas that have been indexed by Google but don't pop up in traditional searches. Sometimes Web sites accidentally post revealing information about themselves, either because employees mistakenly put confidential documents online, or the site wasn't properly configured to obscure sensitive areas.
Security experts say Google hacking wouldn't be an issue if Web sites had proper security safeguards in place.
By looking through Google for evidence of specific types of files used by a Web site or telling responses from the Web site's servers, hackers can learn a lot about how the site was built - and thus how to begin crafting their attacks.
Although Google hacking has been used for several years by good guys and bad guys to monitor security, experts caution that the new program, called Goolag, could tip the balance in favor of criminals.
"It just makes their job that much easier - in a very short period of time they can do all these searches for sensitive information," said Ryan Barnett, director of application security at Breach Security Inc. and a SANS Institute faculty member.
Google hackers have typically had to enter in detailed Google search strings by hand, using specially crafted queries to unearth links buried deep in the list of a site's contents. Google has been able to clamp down on past attempts to automate the process.
Experts say the new program, on the other hand, appears to work differently, tricking Google into believing a real person is typing the queries - in other words, someone Google would be unlikely to block.
Google declined to comment on Goolag, released by the hacker group Cult of the Dead Cow.
Popular Now in SciTech
- Apple iPad 3 rumors: thicker, sharper, coming soon
- Tesla's Model X: Finally, an electric car we all want
- Retro Duo will play your old Nintendo games
- iPad 3 mini on the way, says analyst
- Apple iPad 3 rumors resurface, sources say March release
- Happy 50th to computer game Spacewar
- Apple iPhone 5 rumors, reports say June release
- Obama's 2012 campaign playlist now on Spotify
- Google developing home entertainment system
- Facebook graffiti artist David Choe, from homeless to millions
- Facebook required for Spotify account, here's a trick
- FBI releases Steve Jobs background report
- Apple iPad 3 rumors, let's get real
- Apple faces $1.6 billion iPad trademark lawsuit
- Ethical iPhone 5 petitions head to Apple stores
- Hackers release Symantec pcAnywhere source code
- Shocking Stats on Texting While Driving
Latest CBS News Headlines
on Facebook
on CBS News
- Richardson hits nine 3s, Magic top Bucks 99-94
- Smith stops 38 shots, Coyotes top Blackhawks 3-0
- Whitney Houston's voice will never be forgotten
- Reactions to Whitney Houston's death
on Facebook
- Adele sings a cappella for Anderson Cooper
- Occupy protestors kicked out of CPAC
- CPAC: Will Sarah Palin spring a surprise?
- Beyonce and Jay-Z post first photos of Blue Ivy Carter
on CBS News
