Black Hat: Google now a hacker's tool

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

AUGUST 02, 2005 (IDG NEWS SERVICE) News Story by Robert McMillan

Somewhere out on the Internet, an electric bong may be in danger. The
threat: a well-crafted Google query that could allow a hacker to use
Google Inc.'s massive database as a resource for intrusion.

"Electric bong" was one of a number of household devices that security
researcher Johnny Long came across when he found an unprotected Web
interface to someone's household electrical network. To the right of
each item were two control buttons, one labelled "on," the other,

Long, a researcher at Computer Sciences Corp. and author of the book,
Google Hacking for Penetration Testers (Syngress, 2004), was able to
find the electric bong simply because Google contains a lot of
information that wasn't intended to lie unexposed on the Web. The
problem, he said at the Black Hat USA conference in Las Vegas last
week, lies not with Google itself but with the fact that users often
don't realize what Google's powerful search engine has been able to
dig up.

In addition to power systems, Long and other researchers were able to
find unsecured Web interfaces that gave them control over a wide
variety of devices, including printer networks, private branch
exchange enterprise phone systems, routers, Web cameras and, of
course, Web sites themselves. All can be uncovered using Google, Long

But the effectiveness of Google as a hacking tool doesn't end there.
It can also be used as a kind of proxy service for hackers, Long said.

Although security software can identify when an attacker is performing
reconnaissance work on a company's network, attackers can find network
topology information on Google instead of snooping for it on the
network they're studying, he said. This makes it harder for the
network's administrators to block the attacker. "The target does not
see us crawling their sites and getting information," he said.

Often, this kind of information comes in the form of apparently
nonsensical information -- something that Long called "Google turds."
For example, because there is no such thing as a Web site with the URL
"nasa," a Google search for the query "site:nasa" should turn up zero
results. instead, it turns up what appears to be a list of servers,
offering an insight into the structure of the National Aeronautics and
Space Administration's internal network, Long said.

Combining well-structured Google queries with text-processing tools
can yield things like SQL passwords and even SQL error information.
This could then be used to structure what's known as a SQL injection
attack, which can be used to run unauthorized commands on a SQL
database. "This is where it becomes Google hacking," he said. "You can
do a SQL injection, or you can do a Google query and find the same

Although Google traditionally hasn't concerned itself with the
security implications of its massive data store, the fact that it has
been an unwitting participant in some worm attacks has the company's
search engine now rejecting some queries for security reasons, Long
said. "Recently, they've stepped into the game.",4814,103629,00.html,10801,103629,00.html

Re: Black Hat: Google now a hacker's tool


Quoted text here. Click to load it

Re: Black Hat: Google now a hacker's tool

Jim wrote:

Quoted text here. Click to load it

Step aside, son, and let a real Googler show you how it's done... :)

Re: Black Hat: Google now a hacker's tool

Quoted text here. Click to load it

...which further reduces to:
(Set your own Items-per-page Preferences.)

Re: Black Hat: Google now a hacker's tool

Any idea what these are?

The SEO URL's?  

Site Timeline