Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Criminals still using Google to find flaws

Social security numbers to go.

Article comments

Search engines such as Google are still widely being used by hackers against web applications that hold sensitive data, according to a security expert.

Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from websites using targeted search terms, said Amichai Shulman, founder and chief technology officer for database and application security company Imperva.

The fact that Social Security numbers are even on the web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against websites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

In a SQL injection attack, a malicious instruction is entered on a web-based form and answered by a web application. It often can yield sensitive information from a backend database or be used to plant malicious code on the web page.

Shulman declined to give details on how the attack works during his presentation at the UK RSA Conference on Monday, but said it involves Google's advertising system. Google has been notified, he said.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan could execute broad searches across the web for specific vulnerabilities and return lists of websites that have those problems.

"This is no more a script kiddy game - this is a business," Shulman said. "This is a very powerful hacking capability."

Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.

"In 2004, this was science fiction," Shulman said. "In 2008, this is a painful reality."

Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable websites.

In reality, it just forces hackers to be a bit more patient. Putting limits on search also hurts security professionals who want to do automated daily searches of their websites for problems, Shulman said.

Shulman said he's seen another kind of attack called "site masking," which causes a legitimate website to simply disappear from search results.

Google's search engine penalises sites that have duplicate content and will drop one from its index. Hackers can take advantage of this by creating a website that has a link to a competitor's web page but is filtered through a proxy server.

Google indexes the content under the proxy's domain. If this is done enough times with more proxy servers, Google will consider the targeted Web page a duplicate and drop it from its index.

"This is quite a business hassle," Shulman said.

One way web site administrators can defend against this is barring their website from being indexed by anything other than the legitimate IP address of a search engine, Shulman said.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *