[BreachExchange] Google Dorking: Exposing The Hidden Threat

Thu Jun 9 19:58:30 EDT 2016

http://www.darkreading.com/cloud/google-dorking-exposing-the-hidden-threat/a/d-id/1325842

Virtually everyone uses Google or other search engines, but what most
people don't know is that these search engines can perform advanced queries
that are exploited to carry out successful cyberattacks.

For example, earlier this year, a cyberattack by suspected Iranian hackers
made headlines when they used a simple technique called Google Dorking to
access the computer system that controlled a water dam in New York. Google
Dorking is readily available and has been used by hackers for many years to
identify vulnerabilities and sensitive information accessible on the
Internet.

Since its inception, the capabilities in Google Dorking have been added to
other search engines, including Bing, Baidu, and Open Source Network
Intelligence Tools (OSNIT) such as Shodan and Maltego.

Google Dorking, however, isn’t as simple as performing a traditional online
search. It uses advanced operators in the Google search engine to locate
specific information (e.g., version, file name) within search results. The
basic syntax for using an advanced operator in Google is Operator_name:
keyword

The use of advanced operators in Google is referred to as “Dorking” and the
strings themselves are called “Google Dorks.” Dorks can be as basic as just
one string, or they can be a more complex combination of multiple advanced
operators in a single search string. Each Dork has a special meaning to the
Google search engine that enables hackers and others to filter out unwanted
results and significantly narrow down search results. For example, Google
Dorks can be used to find administrator login pages, user names and
passwords, vulnerabilities, sensitive documents, open ports, email lists,
bank account details, and more.

Anyone with a computer and Internet access can easily learn about the
availability of advanced operators on Wikipedia or via other public
sources. Therefore, it’s not surprising that federal authorities say it is
increasingly being used by hackers to identify computer vulnerabilities in
the United States. The Department of Homeland Security and the FBI in 2014
issued a special security bulletin warning the commercial sector about the
risks of Google Dorking.

The underlying threat associated with Google Dorking is that search engines
are constantly crawling, indexing, and caching the Internet. While most of
this indexed data is meant for public consumption, some is not and is
unintentionally made “accessible” by search engines. As a result, a
misconfigured intranet, or other confidential information resource, can
easily lead to unintended information leakage.

Considering how easy it is for cybercriminals to access sensitive
information via public search engines and security tools raises an
important question: What can organizations do to minimize the risk of being
hacked via Google Dorking?

The first step is to avoid putting sensitive information on the Internet.
If unavoidable, assure that the data is password-protected and encrypted.
In addition, make sure that websites and pages that contain sensitive
information cannot be indexed by search engines. For example, GoogleUSPER
provides tools to remove entire sites, individual URLs, cached copies, and
directories from Google’s index. Another option is to use the robots.txt
file to prevent search engines from indexing individual sites, and place it
in the top-level directory of the Web server.

More important, organizations should implement routine Web vulnerability
testing as part of standard security practices. In this context, Google
Dorking can be a proactive security tool using online repositories like the
Google Hacking Database (GHDB), which documents the expanding number of
search terms for files containing user names, vulnerable servers, and even
files containing passwords. The database provides access to Google Dorks
contained in thousands of exploit entries. The direct mapping between
Google Dorks and publicly available data allows security professionals to
more rapidly determine if a particular web application contains these
exploits.

The Google Dorking phenomenon once again underscores how organizations must
not only test for vulnerabilities, but also assess whether they can be
exploited, and what risks they represent. This is best achieved when
vulnerability assessment, penetration test, and a cyber-risk analysis are
performed hand in hand.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160609/dc6f9646/attachment.html>