Black Hat Google Hacking Goes After China
Search engine hacking grows up as researchers release new tools to automate the use of search discovery for security enumeration.
At Black Hat 2010, researchers from Stach and Liu released Google and Bing tools called GoogleDiggity and BingDiggity. Those tools enable researchers to leverage those search engines to find security vulnerabilities in websites and applications. For Black Hat 2011, the researchers are back and this time they're expanding their tools providing new capabilities to find and indentify security risk with the help of search engines.
"This year we're adding a whole host of tools including a Windows desktop application as well as an iPhone app," Stach and Liu security researcher Francis Brown said.
Brown explained that the new applications will enable users to plug in the website they want to monitor for hack alerts. The applications will then provide pop-up alerts when something happens in a security feed.
The new desktop tools expand on the Google Diggity and Bing Diggity Web tools that they released in 2010. Additionally, Stach and Liu are expanding their search hacking tools to Chinese search engine Baidu.
"Baidu is the largest search engine used by people in China and it's the best indexer of Chinese websites," Brown said. "So if you're a U.S. government employee that is inclined to find vulnerabilities in China, this should be your tool."
Brown noted that in a sample scan he found thousands of MySQL error messages in Chinese government websites. Those MySQL errors could potentially be indicative of SQL Injection vulnerabilities that might be exploitable.
"So we can hack China back," Brown said.
Looking beyond Web search results Stach and Liu are now also searching Google Code results. The addition of Google Code enables code bases to be scanned in an automated way.
Brown noted that using search engines to find vulnerabilities is likely a key attack vector that the Lulzsec hacking group might have used to exploit dozens of sites so far in 2011.
"Lulzsec are basically Google hackers, finding vulnerabilities that are interesting and then exploiting them," Brown said. "With all the headlines that Lulzsec has grabbed over the last six or seven months, it's a good possibility that Google hacking was the primary mode they used to indentify people to go after."
While Stach and Liu's goals with releasing their new tools for identify security risk is to help company's protect themselves, the tools could potentially also be used by attackers, as well.
"Could they use our tools in attacks today? It's possible," Brown said.
In addition to searching for potential vulnerabilities, Stach and Liu are now releasing a new tool to help identify sensitive documents that might be on the Web. The DiggityDLP (digital loss prevention) tool searches for and downloads documents, PDFs and spreadsheet from a target domain. The tool will then go through the content looking for credit card numbers, social security and other private information that shouldn't be public.
When it comes to what Stach and Liu have found when they scan websites for clients, there is a long list of different vulnerabilities and risks. In one case, Brown noted that a GoogleDiggity scan found that a client company was hosting a high-school reunion site on a corporate server. That reunion site has vulnerabilities in it that could have potentially put the whole enterprise at risk.
"In general, we role the dice and find a random issue that could have some kind of sensitive data or security risk," Brown said.
Brown noted that all the Diggitty tools including Google, Bing and DLP versions are freely available. The code itself, however, is not open source.
"We're a pure play service company and all these tools are released for free as a function of marketing for our consulting services," Brown said.