search engine attacks to dig out sensitive information
DESCRIPTION
SEARCH ENGINE ATTACKS to dig Out sensitive information. By Creighton Linza for IT IS 3200. Introduction. Search Engine an information retrieval system that searches its database for matches based on a query Web Crawler a program or script that automatically browses the web. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
By Creighton Linza for IT IS 3200
IntroductionIntroduction
Search Engine an information retrieval system that
searches its database for matches based on a query
Web Crawler a program or script that automatically
browses the web
IntroductionIntroduction
Search Engine Attacks Passive Stealth Have the ability to use the ‘huge memory’
of the internet
Main IssuesMain Issues
Exploits in software used to secure databases
‘Simple’ Identity theft Little information required to get the
attacker going
Financial threats
Who benefits from this Who benefits from this research?research?
The Good Security personnel Individual Users
The Bad Hackers Solicitors
Who has worked with this Who has worked with this research?research?
Founders of Search Engine Attacks Oliver Peek Kristjan Lepik
What they did Found press releases in advance Overall made 7.8 million dollars
General AttacksGeneral Attacks
Search for Passwords “index of” htpasswd / passwd filetype:xls + Search Terms “WS_FTP.LOG”
Web help forums
General Attacks (cont’d)General Attacks (cont’d)
Google cache Bad for those who thought their problem
was fixed Google Code Search
Exploitable code Common files and directories
“index of” “listener.ora”
Database AttacksDatabase Attacks
Potentially vulnerable web applications searched for via a search engine Allow for advanced, specific, target-oriented
searching Use exploits to attack holes ‘Protected’ databases found
completely exposed by web crawlers
Oracle Attacks ExampleOracle Attacks Example
Oracle servers/database attack on iSQLPlus Java servlet that listens on port 7777 or 5560
If either port is exposed to the internet Web server and applications can be inventoried
by a web crawler A route to access an internal database is created
From here, user accounts can be easily stolen
Do-it-yourself allinurl: “/isqlplus”
What can be improvedWhat can be improved
Latest updates and patches Disable directory browsing No sensitive information online
Unless using proper authentication Analyze server’s log for web
crawler’s access Ask the search engine provider to
remove any necessary content
ConclusionConclusion
Web Crawler program/script overhaul Google Webmaster Tools
More security Workload
WYSIWYG (me)