Google Hacking Evolves for Defense
LAS VEGAS -- The technique known as Google hacking is getting a reboot. With Google hacking, researchers dig through the search engine with specialized queries in order to locate vulnerabilities on websites.
Here at the Black Hat security conference, researchers Rob Ragan and Francis Brown from security firm Stach & Liu detailed their new efforts for hacking both Google (NASDAQ: GOOG) and the Microsoft (NASDAQ: MSFT) Bing search engine. The new tools and techniques are intended to provide a rapid alert system for enterprises to help identify risk within their organizations.
The tools include the GoogleDiggity and the BingDiggity projects, which enable users to perform security research with pre-built query strings to locate common vulnerabilities. The GoogleDiggity tool uses the Google AJAX API and Google's custom search to deliver results.
Ragan noted that back in 2004, researcher Johnny "I Hack Stuff" Long created a Google Hacking Database, which included queries that could be used to detect potential security issues. Ragan and his colleagues are now using a similar idea to build a Bing Hacking Database for vulnerability search queries using Microsoft's search engine.
From an enterprise scalability perspective, Brown noted that it's not practically feasible for companies to periodically Google hack themselves. But it is important for enterprises to have a way of knowing when they have some kind of vulnerability or information leakage as soon as possible, he argued.
To that end, the researchers have leveraged their Google hacking work to create search-engine-powered hack alerts. The approach is similar in scope to the Google Alerts system in which users select a keyword and are then sent emails or RSS updates whenever new instances of that keyword are found.
"What we did is we imported our hacking query database into Google and Bing hacking alerts," Ragan said. "So we're looking at over 2,300 queries and getting updates via RSS as they happen."
Brown noted that the hack alerts system will be made available as an OPML In an effort to help enterprises scale and customize the hack alerts, Ragan said that his team is working on a Google desktop gadget as well.
In an effort to help enterprises scale and customize the hack alerts, Ragan said that his team is working on a Google desktop gadget as well.