intitle:shop filetype:php "You have an error in your SQL syntax near"
Example of constructed query used in Google Hacking
If sensitive data has been crawled and indexed by a search engine then attackers can find it by using cleverly constructed search queries using built-in search operators such as the Google search operators shown in figure 1. Using these operators attackers can create very effective filters in order to return highly focused results. Due to some services such as Google caching pages attackers can even be granted anonymity whilst viewing a copy of a proposed target (Lancor and Workman, 2007).
Figure 1: Google search operators
Despite attempts by Google to reduce the risk of Google hacking it remains a significant threat (Brown and Ragan, 2010). Not only can it be used for foot printing databases but also finding sensitive information, vulnerabilities in open source code and gaining access to security cameras (Abdulghani, et al., 2010; Brown and Ragan, 2010).
Defending against Google hacking should be a high priority when designing an online system. Although it is impossible to implement a 100% secure system without removing all user interaction there are steps that can be followed to minimise vulnerability. Any techniques implemented should be consistently re-evaluated and updated as it is likely only a matter of time until methods to over come them are found (Brown and Ragan, 2010).
The prevention of Google hacking generally falls under three categories: error handling, access restriction and security of common platforms. The first two categories are fairly straight forward. Error messages which could potentially be produced by the system should be suppressed on a site wide policy. Access to non-public files and directories should be restricted and 'robot.txt' files should be configured correctly. Any unnecessary files or directories should also be removed from the server. The security of common platforms refers to the use of a publicly available system such as a CMS and is slightly more complicated to defend, depending on the amount of systems used, as the vulnerabilities need to be understood for each individual system. These systems are easier targets for attackers as information about structures, file names, administrator pages etc. is easily accessible from the vendor (Lancor and Workman, 2007).
Information on carrying out this technique can be found at the Google Hacking Database (GHDB) and should be used to “hack yourself” to check for vulnerabilities (Brown and Ragan, 2010).
SearchDiggity, provided by security consultants Stach & Liu, allows a domain to be automatically searched using both Google and Bing on thousands of constructed queries to test for vulnerabilities (Brown and Ragan, 2010). The company also provide an alerts system which consists of a real-time RSS feed of newly indexed pages containing vulnerabilities.
References:
Abdulghani, M. A., Lubis, M., Reh, H. B. and Yaacob, N. I. B. 2010. Proceedings of regional conference on knowledge integration in ICT: A study on implementation and impact of Google hacking to internet security. [online] Available from: http://www.kuis.edu.my/ictconf/proceedings/298_integration2010_proceedings.pdf
Brown, F. and Ragan, R. 2010. INFOSEC world conference 2010: Google and beyond. [online]. Available from: http://www.stachliu.com/slides/googleandbeyond.pdf
Lancor, L. and Workman, R. 2007. Using Google hacking to enhance defense strategies. [online] Available from: http://legacy.lclark.edu/~jmache/sec/google.pdf
