TechWeb

Google-Powered Hacking Makes Search A Threat

Feb 22, 2008 (11:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=206801429


Over the past few years, cybersecurity professionals have watched as the cinematic cliche of police with pistols being outgunned by thieves with automatic weapons has become applicable to their industry. Increasingly, they find themselves defending against automated attacks that can easily overwhelm the technologically underequipped.

Wednesday saw the debut of the latest such tool, which derives its power from Google's vast index. That's when the Cult of the Dead Cow, the self-proclaimed "world's most attractive hacker group," released a Web auditing tool called Goolag Scanner.

"It's no big secret that the Web is the platform," said cDc official Oxblood Ruffin, in a statement. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

To prove that point, Ruffin provided InformationWeek with a list of 11 high-profile U.S. government agency and lab Web sites that had been scanned and found to have what appear to be significant security holes, including satellite access codes, credentials for VPNs and routers, and open proxies. He asked that the information not be published, as the group's intent is not to embarrass government officials or encourage attempts to hack government systems.

The Department of Homeland Security, which Ruffin several weeks ago said was notified of the flaws, did not respond to a request for comment.

Goolag Scanner presently exists only as a Windows application, though it is being ported to other platforms. It allows the user to quickly scan Google's index for files on Web sites that may reveal security vulnerabilities. For example, Goolag Scanner allows you to search Web sites for containing file called "unattend.txt," which is used to drive unattended Microsoft Windows installations. The file may include information useful to hackers, such as administrator passwords.

Goolag Scanner doesn't do anything a hacker or penetration tester couldn't do by typing text into Google and using certain operator commands to constrain the search to a specific domain or file type. But it makes searching for holes much easier.

"The Goolag Scan tool isn't especially innovative in terms of the methods it implements," said Mark Kraynak, senior director of strategic marketing for data protection company Imperva, in an e-mail. "These techniques have been well known in the security community for some time."

What is does do, Kraynak said, is allow less-sophisticated attackers to exploit application and data layer vulnerabilities. "This will result in even more application attacks," he said. "This is bad news, since SQL Injection and Cross-Site Scripting already rank among the most common attacks lodged against online applications. ... The bad guys now have automatic weapons, so as a security community we need to upgrade our defense systems for these new threats."

What that means, in addition to addressing specific vulnerabilities, is defending against search.

As Petko D. Petkov, founder of security consulting firm GnuCitizen, explained in a blog post on Friday, search engines can be used very efficiently to collect information about vulnerabilities, particularly metadata that isn't ordinarily indexed.

Petkov proposes using the Amazon Web Services platform to build a custom search application for identifying vulnerabilities. "By using Amazon's Services and more specifically their Elastic [Compute] Cloud infrastructure, attackers can gain immense scalability, which they can use for their own evil good," he explained. "The cloud allows developers to spawn ritualized instances of any type of operating system, which can be instructed to go through any kind of heavy machine processing task, such as crawling Web sites, port-scanning, etc. The information can be stored on Amazon's Simple Storage Service. The whole package is quite cheap and very affordable."

But for the organization that gets hacked, the expense could be considerable.