reports.informationweek.com using google to find ... · using google to find vulnerabilities in...
TRANSCRIPT
M a r c h 2 0 1 2
Report ID: S4440312
Next
reports
Using Google to Find Vulnerabilities In Your IT Environment Attackers are increasingly using a simple method for finding flaws in websites
and applications: they Google them. Using Google code search, hackers
can identify crucial vulnerabilities in application code strings, providing the
entry point they need to break through application security. Sound scary?
It is, but there is good news: You can use these same methods to find flaws
before the bad guys do. In this special report, we outline methods for using
search engines such as Google and Bing to identify vulnerabilities in your
applications, systems and services—and to fix them before they can
be exploited.
By Francis Brown
R e p o r t s . I n f o r m a t i o nWe e k . c om
Presented in conjunction with
Previous Next
reports
reports.informationweek.com March 2012 2
CONT
ENTS
TABLE OF
3 Author’s Bio
4 Executive Summary
5 The Search is on for Vulnerabilities
5 Figure 1: Google Results for Common Docs
7 New Weapons of Choice
7 GoogleDiggity
7 BingDiggity
8 DLPDiggity
8 FOCA
9 The Harvester
9 Maltego
10 Deep Magic
10 BingLinkFromDomainDiggity—
Footprint Tool
10 Shodan
11 FlashDiggity
11 PasteBin Leaks
11 Conclusion
12 Figure 2: Google Hacking: A History
of Key Events
13 Defensive Alerts Provide New Protections
13 Diggity Alert Feeds
14 Diggity Alert Clients
15 More Like This
ABOUT US
InformationWeek Reports’ analysts arm business technology decision-makers with real-world perspective based on qualitative and quantitative research, business and technology assessment and planning tools, and adoption best practices gleaned from experience. To contact us, write to managing director Art Wittmann at [email protected], content director Lorna Garey at [email protected], editor-at-largeAndrewConry-Murray at [email protected], andresearch managing editor Heather Vallis [email protected]. Find all of our reports at reports.informationweek.com
U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e s
March 2012 3
Previous Next
© 2012 InformationWeek, Reproduction Prohibited
reports
reports.informationweek.com
U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e s
Francis Brown, CISA, CISSP, MCSE, is a managing partner at Stach & Liu, a secu-rity consulting firm that provides IT security services to Fortune 500 and globalfinancial institutions, as well as U.S. and foreign governments. Before joiningStach & Liu, he served as an IT security specialist with the Global Risk Assess-ment team of Honeywell International. There, Francis performed network andapplication penetration testing, product security evaluations, incident responseand risk assessments of critical infrastructure. Prior to that, Francis was a con-sultant with the Ernst & Young Advanced Security Centers. Francis has pre-sented his research at leading conferences, including Black Hat USA, DEF CON,InfoSec World Conference and Expo, ToorCon and HackCon. He has been citedin numerous industry and academic publications. Francis holds a Bachelor ofScience and Engineering degree from the University of Pennsylvania, with amajor in computer science and engineering and a minor in psychology. While atPenn, Francis taught operating system implementation and C programming,and participated in DARPA-funded research into advanced intrusion preventionsystem techniques.
Francis BrownStach & Liu
Table of Contents
March 2012 4
Previous Next
Google, Bing and other major search engines, have made it easy to find all manner of information—including everything from exposed password files to SQL injection points.This led to the emergence of Google hacking, a technique used to identify and then exploit system and data vulnerabilities. Google hacking’s popularity waned in the last fewyears, due in large part to Google shutting down the Google SOAP API. However, with aggressive R&D efforts fueled by innovative thinking, as well as significantly more data available on the Web and stored in the cloud, Google hacking is on the rise again. While this gives IT security professionals yet another battle to fight, the good news is that they can leverage the very tools and techniques hackers use to identify and fix any vulnerabilitiestheir companies may have. In other words, they can Google themselves to find securityproblems before the bad guys do. In this report we will examine a slew of new tools andtechniques that will allow security professionals to leverage Google, Bing, Baidu and otheropen search interfaces to proactively track down and eliminate sensitive information disclosures and vulnerabilities in public systems and also take a look at defensive tools designed to pull thousands of real-time RSS updates from search engines to provide userswith alerts—a sort of intrusion detection system (IDS) for Google hacking. Malicious hackershave already embraced search engine hacking as an effective way to target and exploit vulnerabilities on a massive scale. It is imperative that security professionals learn to takeequal advantage of these techniques to help safeguard their organizations.
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e s
EXECUTIVE
SUM
MAR
Y
Table of Contents
The vast volumes of information available onthe Internet are of great value to businesses—and to hackers. For years, hackers have been us-ing Google and other search engines to identifyvulnerable systems and sensitive data on pub-licly exposed networks. The practice, known asGoogle hacking, has seen a resurgence of late,providing new challenges for IT professionalsstriving to protect their companies from threatsgrowing in number and sophistication. Google hacking—a term used for penetra-
tion testing using any search engine—surgedin popularity around 2004, when computer se-curity expert Johnny Long first released hisbook Google Hacking for Penetration Testers andthe Google Hacking Database (GHDB). Thedatabase was designed to serve as a repositoryfor search terms, called Google-Dorks, that ex-posed sensitive information, vulnerabilities,passwords and much more. The beginning ofthe end for the Google hacking tools availableat the time came when Google stopped issuingnew Google Simple Object Access Protocol
Previous Next
Google Results for Common Docs
reports.informationweek.com
The Search is on for Vulnerabilities
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
Figure 1
The rate of growth of the documents available for data mining via Google has risen exponentially in the lastfew years. Source: Stach & Liu
March 2012 5
March 2012 6
(SOAP) API keys in.The Google SOAP API wasthe interface that hacking tools used to makeGoogle queries. Google retired the SOAP API tomake room for its Google AsynchronousJavaScript and XML (AJAX) API. Google hackingtools hobbled along until September 2009,when Google closed down the Google SOAPAPI entirely. There recently has been an upswing in
Google hacking, with a few factors playing arole in the practice’s growth. For one thing, theamount of data indexed and searchable byGoogle and other search engines has skyrock-eted in the last few years. Simply put, this hasgiven hackers much more to work with. Therate of growth of the documents available fordata mining via Google is illustrated in Figure1, page 5. There has also been a significant in-crease in new search engine interfaces to vari-ous types of data. Examples include GoogleHealth and Google Code Search (recently shutdown), which have allowed users to searchthrough patient health records and opensource code projects, respectively. We’ve alsoseen the emergence of security-specific search
engines such as Shodan come into play. Thesesearch engines were created specifically for useby penetration testers to identify vulnerableWeb applications on the Internet.We saw a frightening example last year of
just how effective Google hacking can be
when the group LulzSec used Google hackingtechniques to go on an epic spree that left inits wake a number of victims, including Sony,PBS, Arizona’s Department of Public Safety,FBI affiliate InfraGard and the CIA. In othernews, the recent LizaMoon mass SQL injection
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
As the trend of moving data storage to the cloud continues, so does the risk of data loss. Most cloud-basedstorage offerings are not immune to Google hacking. As shown in the screen, Google can be used to find documents stored in major cloud providers such as Dropbox.
March 2012 7
attack was reported to have affected as manyas 4 million websites, a large step up in scalefrom the few hundred thousand sites affectedby the mass SQL injection attack from the pre-vious June that most notably compromisedThe Wall Street Journal and The Jerusalem Postwebsites.
New Weapons of ChoiceWith the retirement of Google’s SOAP API in
2009, most of the security utilities available forGoogle hacking ceased tofunction, leaving the securityindustry with a need for newand innovative tools. It didnot take long for the vacuumto be filled. For example, inNovember 2010, the Exploit
Database (exploit-db.com) took over maintenance of the Google Hacking Databaseand began adding new Google Dorks, thesearch terms that reveal vulnerabilities andsensitive information disclosures.However, what’s good for hackers is also
good for corporate security professionals,who can make use of Google hacking toolsand other resources to identify—and theneliminate—vulnerabilities in their data sys-tems. The majority of these tools are free andeasy to use, although experience and skillsassociated with Web application security arehelpful in validating scan results and identi-fying which results are real security issuesand which are not.There is no one tool that will serve as a
silver bullet in eliminating search engine exposures. We encourage security profes-sionals to try out and regularly use as manyas possible to gain as much security cover-age as possible over their network perimeter. Here is an overview of some of the tools
currently available.
>> GoogleDiggityGoogleDiggity is a utility from Stach & Liu’s
Google Hacking Diggity Project that lever-ages the Google JSON/ATOM Custom SearchAPI, which means users will not be blocked by
Google bot detection while scanning. Also,unlike other Google hacking tools available,GoogleDiggity allows users to specify aGoogle Custom Search Engine (CSE) ID. Thisallows Google hacking vulnerability checks tobe run against a customized version ofGoogle that will return results tailored to spe-cific organizations.
>> BingDiggity Also from the Google Hacking Diggity Proj-
ect, BingDiggity uses the Bing 2.0 API andStach & Liu’s newly developed Bing HackingDatabase (BHDB) to find vulnerabilities andsensitive information disclosures that are ex-posed via Microsoft’s Bing search engine.This utility also provides footprinting capa-bilities that allow users to enumerate URLs,hosts, domains and IP-to-virtual host map-pings for target companies. In the past,MSN/Bing hacking utilities were limited tofootprinting techniques because Microsofttook steps to prevent traditional hackingtechniques via Bing back in 2007. The BHDB
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
LikeLikeFollowFollow
Security professionals can expect to see
a continued increase in development
of new tools being released that tap into
data indexed by search engines such as
Google and Bing.
March 2012 8
was created so that the Bing search enginecould be used to discover vulnerabilitieswithin target applications and infrastructure.It provides more than 1,300 Bing searchesthat return vulnerability data.
>> DLPDiggity DLPDiggity is a data loss prevention
(DLP)tool that leverages Google/Bing toidentify exposures of sensitive information,such as Social Security and credit card numbers, via common document formats including.doc, .xls and .pdf. GoogleDiggity orBingDiggity are first used to locate anddownload f i les belonging to target domains/sites on the Internet, then DLPDig-gity is used to analyze those downloadedfiles for sensitive information disclosures.DLPDiggity uses iFilters to search throughthe actual contents of files, as opposed tojust the metadata. Using .NET regular expres-sions, DLPDiggity can find almost any typeof sensitive data within common documentfile formats.
>> FOCAFOCA FREE 3.0.2 is a tool used to carry out
information gathering fingerprinting in Webaudit work. The free version of the tool en-
ables users to find servers, domains, URLsand documents published, as well as ver-sions of software on servers and clients.FOCA became famous for extracting meta-
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
Like This Report?
Rate It!Something we could dobetter? Let us know.
RateRate
FOCA is a free fingerprinting tool that can be used for information gathering on the Web.
March 2012 9
data of public documents, but today the toolis capable of much more than that.
>> TheHarvesterUsers have always been, and will always be,
the weakest link in the security chain. In thepast few years, there has been an explosion ofpersonal information made readily availableon the Web. That information is easily search-able on sites such as LinkedIn and Facebook.Getting a list of executives, network adminis-trators, developers or even IT security staff as-sociated with a target company is now apretty trivial thing to do. TheHarvester gathersemails, subdomains, hosts, employee names,open ports and banners from different publicsources, including search engines, PGP keyservers and the SHODAN computer database.
>> MaltegoWe’ve seen the emergence of several new
toolkits, such as the Social Engineering Toolkit(SET), that have helped automate (and dumbdown) the process of mounting what wereonce highly sophisticated phishing and social
engineering attacks. Maltego is an opensource intelligence and forensics applicationthat enables the mining and gathering of in-formation, as well as the representation of thisinformation in a meaningful way. The unique
perspective that Maltego offers to both net-work- and resource-based entities is the ag-gregation of information posted all over theInternet. Whether it’s the current configura-tion of a router poised on the edge of your
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
Tools like Maltego reduce the complexities involved with phishing and social engineering attacks.
March 2012 10
network or the current whereabouts of acompany vice president on an internationalvisit, Maltego can locate, aggregate and visu-alize this information.
>> DeepMagicDeepMagic DNS is a security-specific search
engine that allows attackers to quickly build afootprint of a target organization by allowingthem to easily develop a list of odds names andlive hosts.
>> Bing LinkFromDomainDiggity—Footprinting ToolBing LinkFromDomainDiggity is an attack
footprinting tool that leverages Bing’s link-fromdomain: directive to find off-site links.From those results, the tool then enumerateslists of applications, host names, domains andsubdomains related to an attack target. Weused Bing LinkFromDomainDiggity to buildout a list of targets on the Chinese govern-ment’s domains by analyzing the offsite linksof the Chinese government’s main website.(see screenshot at right)
>> Shodan Shodan is a search engine that lets users
find specific computers (such as routers orservers) using a variety of filters. Some havealso described Shodan as a public port scan
directory or a search engine of banners.Shodan can be used, for example to target su-pervisory control and data acquisition(SCADA) systems that control the critical in-frastructure of a country.
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
We used Bing LinkFromDomainDiggity to build out a list of targets on the Chinese government’s domains.
>> FlashDiggityFlashDiggity automates Google searching/
downloading/decompiling/analysis of SWFfiles to identify Flash vulnerabilities and infor-mation disclosures. FlashDiggity first lever-ages the GoogleDiggity tool to identifyAdobe Flash SWF applications for target do-mains via Google searches, such as ext:swf.Next, the tool is used to download all of theSWF files in bulk for analysis. The SWF files aredisassembled back to their original Action-Script source code, and then analyzed forcode-based vulnerabilities.
>> PasteBin LeaksInformation disclosures for your organiza-
tion may occur on sites unrelated to your organization. For example, PasteBinleaks is a Twitter feed that tracks the disclo-sure of sensitive information via the Pastebin.com website.
ConclusionSecurity professionals can expect to see a
continued increase in development of bothinnovative methods and new tools beingpublically released that tap into the vastamounts of data indexed by search enginessuch as Google and Bing. Opportunistic hack-ers will undoubtedly be employing these new
tools to target the low-hanging (and not-so-low-hanging) fruit of vulnerabilities exposedon the Web. It is therefore imperative that se-curity professionals learn to take equal advan-tage of these techniques to help safeguardtheir organizations.
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
Ensuring Secure Database Access
Role-based access control basedon least user privilege is one ofthe most effective ways to pre-vent the compromise of corpo-rate data. But proper provision-ing is a growing challenging, dueto the proliferation of big data,NoSQL databases and cloud-based data storage.
DownloadDownload
March 2012 11
FlashDiggity can be used to identify vulnerabilities in Flash applications.
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
Google Hacking: A History of Key Events
2004 Google Hacking
Database (GHDB) debuts
Jan. 2005 Foundstone SiteDigger Version 2 released
Feb. 13, 2005 Google Hack
HoneyPot first released
Feb. 20, 2005 Google Hacking
Version 1 released by
Johnny Long
Jan. 10, 2006 MSNPawn Version 1.0 released by NetSquare
Dec. 5, 2006 Google stops
issuing Google SOAP API
keys
Nov. 2, 2007 Google Hacking
Version 2 released
Sept. 7, 2009 Google shuts down SOAP Search API
Dec. 1, 2009 Foundstone SiteDigger Version 3.0
released
2010 Googlag.org disappears
Jan. 15, 2012 Google CodeSearch
shuts down
S
May 2004 Foundstone
SiteDigger Version 1 released
Nov. 2009 Binging tool released by
Blueinfy
Nov. 1, 2010 Google AJAX API slated for
retirement
April 21, 2010 Google Hacking Diggity Project
is launched
Nov. 9, 2010 GHDB Reborn
announces: Exploit-db.com
March 2008 cDc Goolag GUI
tool released
Figure 2
March 2012 12
March 2012 13
Defensive strategies for protecting your organ-ization from Google hacking attacks tradition-ally have been limited, mostly falling back onthe approach of “Google hack yourself.” Thisapproach has several shortcomings. While afew free tools exist that allow security profes-sionals to Google hack their organization, theyare typically inconvenient, utilizing only onesearch engine and providing only a snapshotin time of your organization’s exposure. Secu-rity consultancy Stach & Liu, which works withFortune 500 and government agencies, has cre-ated free defensive tools to help protect yourorganization from exposing vulnerabilities viaGoogle, Bing and other popular search en-gines. The tools fall into two major categories—alert RSS feeds and alert RSS monitoring tools.Together, they form a type of intrusion detec-tion system (IDS) for Google hacking.
Diggity Alert FeedsGoogle Hacking Alerts provide real-time vul-nerability updates via convenient RSS feeds.
Previous Next
reports.informationweek.com
Defensive Alerts Provide New Protections
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
These feeds in turn produce RSS entries that identify vulnerable Web applications on the Internet.
Bing Hacking Alerts employs a similar approach, but instead leverage Stach & Liu’s Bing Hacking Database(BHDB) in conjunction with Microsoft Bing’s &format=rss directive to turn Bing searches into RSS feeds.
March 2012 14
Google Alerts have been created for all1,623 GHDB/FSDB search strings, generatinga new alert each time newly indexed pagesmatch regular expressions.
Diggity Alert ClientsIf you would like to filter these alerts on do-mains and other criteria, making them morerelevant to sites you care about, you can useeither the Microsoft Windows desktop client(AlertDiggity) or iPhone client (iDiggityAlerts) to filter these alerts. —Francis Brown
Previous Next
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e sTable of Contents
These alerts have accumulated several thousand hits per day, and now formwhat is likely the largest repository of live vulnerabilities on the Internet.
SubscribeSubscribe
Newsletter
Want to stay current on all newInformationWeek Reports? Subscribe to our weeklynewsletter and never miss a beat.
March 2012 15
Previous
reports.informationweek.com
reports U s i n g G o o g l e t o F i n d V u l n e r a b i l i t i e s
MOR
ELIKE THIS
Want More Like This?InformationWeek creates more than 150 reports like this each year, and they’re all free toregistered users. We’ll help you sort through vendor claims, justify IT projects and imple-ment new systems by providing analysis and advice from IT professionals. Right now on oursite you’ll find:
Strategy: Database Defense: The biggest threat to your company’s most sensitive datamay be the employee who has legitimate access to corporate databases but less-than-legiti-mate intentions. And while the incidence of insider data breaches has decreased, external at-tacks often imitate them—and do serious damage. Follow our advice to mitigate the risk.
Strategy: Understanding Software Vulnerabilities: To protect company and customerdata, we need to determine what makes it so vulnerable and appealing. We also need to un-derstand how hackers operate, and what tools and processes they rely on. In this report weexplain how to ensure the best defense by thinking like an attacker and identifying theweakest link in your own corporate data chain.
Private Cloud Blueprint:We outline plans to help you move beyond server virtualization tobuild a more flexible and efficient data center. From network and storage virtualization toautomation and orchestration to promoting your private cloud services, our guide takes youthrough the essentials needed to build a private cloud.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek500 and the annual State of Security report; full issues; and much more.
Table of Contents