Language Selection

English French German Italian Portuguese Spanish

Google now a hacker's tool

Filed under
Security

Somewhere out on the Internet, an Electric Bong may be in danger. The threat: a well-crafted Google query that could allow a hacker to use Google's massive database as a resource for intrusion.

"Electric Bong" was one of a number of household devices that security researcher Johnny Long came across when he found an unprotected Web interface to someone's household electrical network. To the right of each item were two control buttons, one labelled "on," the other, "off."

Long, a researcher with Computer Sciences Corp. and author of the book, "Google Hacking for Penetration Testers," was able to find the Electric Bong simply because Google contains a lot of information that wasn't intended to lie unexposed on the Web. The problem, he said at the Black Hat USA conference in Las Vegas last week, lies not with Google itself but with the fact that users often do not realize what Google's powerful search engine has been able to dig up.

In addition to power systems, Long and other researchers were able to find unsecured Web interfaces that gave them control over a wide variety of devices, including printer networks, PBX (private branch exchange) enterprise phone systems, routers, Web cameras, and of course Web sites themselves. All can be uncovered using Google, Long said.

But the effectiveness of Google as a hacking tool does not end there. It can also be used as a kind of proxy service for hackers, Long said.

Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said.

Often, this kind of information comes in the form of apparently nonsensical information -- something that Long calls "Google Turds." For example, because there is no such thing as a Web site with the URL (Uniform Resource Locator) "nasa," a Google search for the query "site:nasa" should turn up zero results. instead, it turns up what appears to be a list of servers, offering an insight into the structure of Nasa's (the U.S. National Aeronautics and Space Administration's) internal network, Long said.

Combining well-structured Google queries with text processing tools can yield things like SQL (Structured Query Language) passwords and even SQL error information. This could then be used to structure what is known as a SQL injection attack, which can be used to run unauthorized commands on a SQL database. "This is where it becomes Google hacking," he said. "You can do a SQL injection, or you can do a Google query and find the same thing."

Although Google traditionally has not concerned itself with the security implications of its massive data store, the fact that it has been an unwitting participant in some worm attacks has the search engine now rejecting some queries for security reasons, Long said. "Recently, they've stepped into the game."

Source.

More in Tux Machines

Games for GNU/Linux

  • Stardew Valley is now in beta for Linux
    The Stardew Valley developer tweeted out a password for a beta, but after discussing it with them on their forum I was able to show them that we can't actually access it yet. While what I was telling them may not have been entirely correct (SteamDB is confusing), the main point I made was correct. Normal keys are not able to access the beta yet, but beta/developer keys can, as it's not currently set for Linux/Mac as a platform for us.
  • Physics-based 3D puzzler Human: Fall Flat released on Steam for Linux
    Human: Fall Flat is an open-ended physics puzzler with an optional local co-op mode, developed by No Brakes Games, and available now on Steam for Linux.
  • 7 Mages brings a touch more of traditional dungeon crawling to Linux
    Controlling a party of adventurers, exploring dungeons and fighting weird magical creatures is an RPG tradition as old as the genre. Expect all that and more in this modern iteration of the classical dungeon crawler.

Linux and Graphics

Security News

  • Security advisories for Monday
  • EU to Give Free Security Audits to Apache HTTP Server and Keepass
    The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers. The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.
  • What is your browser really doing?
    While Microsoft would prefer you use its Edge browser on Windows 10 as part of its ecosystem, the most popular Windows browser is Google’s Chrome. But there is a downside to Chrome – spying and battery life. It all started when Microsoft recently announced that its Edge browser used less battery power than Google Chrome, Mozilla Firefox or Opera on Windows 10 devices. It also measured telemetry – what the Windows 10 device was doing when using different browsers. What it found was that the other browsers had a significantly higher central processing unit (CPU), and graphics processing unit (GPU) overhead when viewing the same Web pages. It also proved that using Edge resulted in 36-53% more battery life when performing the same tasks as the others. Let’s not get into semantics about which search engine — Google or Bing — is better; this was about simple Web browsing, opening new tabs and watching videos. But it started a discussion as to why CPU and GPU usage was far higher. And it relates to spying and ad serving.
  • Is Computer Security Becoming a Hardware Problem?
    In December of 1967 the Silver Bridge collapsed into the Ohio River, killing 46 people. The cause was determined to be a single 2.5 millimeter defect in a single steel bar—some credit the Mothman for the disaster, but to most it was an avoidable engineering failure and a rebuttal to the design philosophy of substituting high-strength non-redundant building materials for lower-strength albeit layered and redundant materials. A partial failure is much better than a complete failure. [...] In 1996, Kocher co-authored the SSL v3.0 protocol, which would become the basis for the TLS standard. TLS is the difference between HTTP and HTTPS and is responsible for much of the security that allows for the modern internet. He argues that, barring some abrupt and unexpected advance in quantum computing or something yet unforeseen, TLS will continue to safeguard the web and do a very good job of it. What he's worried about is hardware: untested linkages in digital bridges.
  • Your Smart Robot Is Coming in Five Years, But It Might Get Hacked and Kill You
    A new report commissioned by the Department of Homeland Security forecasts that autonomous artificially intelligent robots are just five to 10 years away from hitting the mainstream—but there’s a catch. The new breed of smart robots will be eminently hackable. To the point that they might be re-programmed to kill you. The study, published in April, attempted to assess which emerging technology trends are most likely to go mainstream, while simultaneously posing serious “cybersecurity” problems. The good news is that the near future is going to see some rapid, revolutionary changes that could dramatically enhance our lives. The bad news is that the technologies pitched to “become successful and transformative” in the next decade or so are extremely vulnerable to all sorts of back-door, front-door, and side-door compromises.
  • Trump, DNC, RNC Flunk Email Security Test
    At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.
  • NIST Prepares to Ban SMS-Based Two-Factor Authentication
    The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA). The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software. NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.
  • 1.6m Clash of Kings forum accounts 'stolen'
    Details about 1.6 million users on the Clash of Kings online forum have been hacked, claims a breach notification site. The user data from the popular mobile game's discussion forum were allegedly targeted by a hacker on 14 July. Tech site ZDNet has reported the leaked data includes email addresses, IP addresses and usernames.
  • Hacker steals 1.6 million accounts from top mobile game's forum
    [Ed: vBulletin is proprietary software -- the same crap Canonical used for Ubuntu forums]

The saga continues with Slackware 14.2

Slackware is the oldest surviving Linux distribution and has been maintained since its birth by Patrick Volkerding. Slackware has a well deserved reputation for being stable, consistent and conservative. Slackware is released when it is ready, rather than on a set schedule, and fans of the distribution praise its no-frills and no-fuss design. Slackware adheres to a "keep it simple" philosophy similar to Arch Linux, in that the operating system does not do a lot of hand holding or automatic configuration. The user is expected to know what they are doing and the operating system generally stays out of the way. The latest release of Slackware, version 14.2, mostly offers software updates and accompanying hardware support. A few new features offer improved plug-n-play support for removable devices and this release of Slackware ships with the PulseAudio software. PulseAudio has been commonly found in the audio stack of most Linux distributions for several years, but that is a signature of Slackware: adding new features when they are needed, not when they become available. In this case PulseAudio was required as a dependency for another package. Slackware 14.2 is available in 32-bit and 64-bit builds for the x86 architecture. There is also an ARM build. While the main edition of Slackware is available as an installation disc only, there is a live edition of Slackware where we can explore a Slackware-powered desktop environment without installing the distribution. The live edition can be found on the Alien Base website. Both the live edition and the main installation media are approximately 2.6GB in size. For the purposes of this review I will be focusing on the main, installation-only edition. Booting from the install media brings us to a text screen where we are invited to type in any required kernel parameters. We can press the Enter key to take the default settings or wait two minutes for the media to continue booting. A text prompt then offers to let us load an alternative keyboard layout or use the default "US" layout. We are then brought to a text console where a brief blurb offers us tips for setting up disk partitions and swap space. The helpful text says we can create partitions and then run the system installer by typing "setup". Read more