Security experts long ago noticed that powerful search engines like Google could be used as effective tools for ferreting out sensitive data about individuals. In past years, security researchers such as Johnny Long were able to show how advanced Google search queries and features like Google Code Search could make it easy to identify vulnerable systems online. Sadly, malicious hackers and organized crime groups appear to have learned those lessons better than IT admins.
Speaking to a packed audience at the annual Defcon hacking conference in Las Vegas on Friday, Rob Ragan and Francis Brown, of consulting firm Stach & Liu, said that there is ample evidence that organized online criminal groups were leveraging Google's various search features to do reconnaissance on Web servers, identifying and catologuing those that are vulnerable to attack.
Citing a mass hack of high-profile sites in June, including the websites of The Wall Street Journal and Jerusalem Post, Ragan and Brown said that such attacks suggest organized criminal groups are using freely available tools like Google Code Search to find vulnerabilities in open source codebases. Such techniques require little technical expertise -- simple regular expression searches can identify public-facing systems that are using certain code and thus vulnerable to attack. The near-real-time lists of vulnerable websites worldwide allow attackers to move quickly against Web servers once they obtain new client-side exploits for distribution.
Alas, IT and Web administrators have been slower to harness the same features to protect their assets. Ragan and Brown said that many early-generation Google hacking tools stopped working after Google retired its SOAP API in 2009. In turn, Google has introduced features to block automated queries through its standard user interface.