Comment Articles

Google hacking for beginners

Tags:
Google Books,
Hacked,
Hack,
Hacker

Ong Boon Kiat CNETAsia

Published: 08 Nov 2004 14:13 GMT

Google-risks?
How much harm can befall you if you are visited by Google hacks?

It will depend on what information you've carelessly exposed -- and what information was trawled. Using Google, hackers have been known to spy on photocopiers, discover passwords, monitor server activities and more.

I called on my expert security source, Gerry Chng, who manages Ernst and Young's technology and risk services.

"If I am a system administrator, how worried should I be?" I asked Gerry.

For someone who's seen far more nefarious hacking methods as a network penetration testing expert, Gerry was calm. "Google hacking is definitely one of the starting points a hacker would attempt to find information, but it is really nothing more than that," he assured me.

Furthermore, said Gerry, passwords and log files are generally only exposed under two scenarios -- both of which can be avoided with some care.

The first instance is when one links sensitive documents with URLs, or annotates documents with HTML tags. "Web spiders will only crawl to places where it sees a link," said Gerry. But watch out, however, for the not-so-obvious Web-linkages. For instance, Gerry has seen developers commenting out test code using the <! -- and -- > HTML tags. "Once a bot sees this link, it will try crawling into those areas," he warned.

The second instance where sensitive data exposure can happen is when application errors occur during a spider visit. In the case of SQL-driven web applications, one may see SQL error messages as a result. Even transient errors can mean exposure. He said: "If you visit this site later, the error message may be gone, but Google caches the results it sees."

Which means hackers interested in say, SQL injection attacks, can use Google hacking techniques to identify Web sites that are vulnerable because they had error messages cached.

In fact, network admins should probably worry more about having error messages cached by search engines than Web-linked files because the transient, auto-generated and error messages are likely to be unforeseen and can stay in Google's reach for a long time. You can however email Google to remove the links.

Search-proof?
So what can one do to foil Google hacks? Again, I turned to Gerry, who obliged with the following tips:

Make sure your applications do not generate unhandled error messages. "Having custom error message-handling replies lowers the chance for a generic search," he said. Apply the concept of "don't be a low-hanging fruit."
Make sure your directory listing is disabled for all folders. And avoid storing lists of URLs in a folder, where a spider can crawl to.
Links to administrative pages should never be placed in a link on a web page. This only encourages the spider to crawl there, and subsequently cache it.

Another tip: organisations should instil proper change controls when it comes to code changing. "I have seen developers commenting out previous codes which could still link to certain directories, or containing information about the changes made," said Gerry. Scary.

So there you have it.

But unfortunately -- or fortunately, for some of us -- Google doesn't stay still. Last month, Google launched its first desktop search engine. So it may not be too long before the perils of online search engine hacking moves into intranets and internal networks.

And don't forget also that there are other search engines that offers search-features that are different -- in some cases better -- than Google.

Network admins: you've been warned.