Google, Bing: A hacker's best friends

Hackers still use search engines like Google and Microsoft Bing to accelerate and automate attacks against vulnerable websites

Security experts long ago noticed that powerful search engines like Google could be used as effective tools for ferreting out sensitive data about individuals. In past years, security researchers such as Johnny Long were able to show how advanced Google search queries and features like Google Code Search could make it easy to identify vulnerable systems online. Sadly, malicious hackers and organized crime groups appear to have learned those lessons better than IT admins.

Speaking to a packed audience at the annual Defcon hacking conference in Las Vegas on Friday, Rob Ragan and Francis Brown, of consulting firm Stach & Liu, said that there is ample evidence that organized online criminal groups were leveraging Google's various search features to do reconnaissance on Web servers, identifying and catologuing those that are vulnerable to attack.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Citing a mass hack of high-profile sites in June, including the websites of The Wall Street Journal and Jerusalem Post, Ragan and Brown said that such attacks suggest organized criminal groups are using freely available tools like Google Code Search to find vulnerabilities in open source codebases. Such techniques require little technical expertise -- simple regular expression searches can identify public-facing systems that are using certain code and thus vulnerable to attack. The near-real-time lists of vulnerable websites worldwide allow attackers to move quickly against Web servers once they obtain new client-side exploits for distribution.

Alas, IT and Web administrators have been slower to harness the same features to protect their assets. Ragan and Brown said that many early-generation Google hacking tools stopped working after Google retired its SOAP API in 2009. In turn, Google has introduced features to block automated queries through its standard user interface.

The researchers have created new utilities, GoogleDiggity and Bing Diggity, which can both be automated -- and that use the Google Hacking Database and File Signature Database to crawl designated Web domains looking for vulnerabilities and create real-time alerts when new, vulnerable website content appears. The two researchers have also developed techniques, using tools like Yahoo Site Explorer, to identify outgoing malicious links on legitimate websites that could direct unwitting visitors to malicious sites.

The researchers say that while techniques for leveraging search engines to do reconnaissance and data discovery have long been known, public knowledge of them hasn't kept pace with the development of those platforms by Google, Microsoft, Yahoo, and others. Google Alerts can be used to identify vulnerable Web pages as soon as they are indexed by these search engines' crawlers, while newer features like Google Phonebook, Google Health, and Google Updates can be used to sweeten social engineering attacks or extend the reach of searches to Twitter and other platforms.

Malicious hackers and online cybercriminal groups have already proved themselves adept at leveraging search trend data and SEO (search engine optimization) techniques to put links to malware-infected sites before the eyes of unwitting Web browsers. The fact that malicious hackers have already launched massive, automated attacks that leverage one or more freely available tools from the major search engine providers has gotten less attention. That trend, however, is bound to continue, as the diversity of data available online and indexed by firms such as Microsoft and Google continues to grow by leaps and bounds with little oversight.

Paul F. Roberts is a senior analyst at The 451 Group.

This article, "Google, Bing: A hacker's best friends" was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.