Navigation

Language Selection

Search

Google now a hacker's tool

Submitted by srlinuxx on Tuesday 2nd of August 2005 04:23:03 PM Filed under

Security

Somewhere out on the Internet, an Electric Bong may be in danger. The threat: a well-crafted Google query that could allow a hacker to use Google's massive database as a resource for intrusion.

"Electric Bong" was one of a number of household devices that security researcher Johnny Long came across when he found an unprotected Web interface to someone's household electrical network. To the right of each item were two control buttons, one labelled "on," the other, "off."

Long, a researcher with Computer Sciences Corp. and author of the book, "Google Hacking for Penetration Testers," was able to find the Electric Bong simply because Google contains a lot of information that wasn't intended to lie unexposed on the Web. The problem, he said at the Black Hat USA conference in Las Vegas last week, lies not with Google itself but with the fact that users often do not realize what Google's powerful search engine has been able to dig up.

In addition to power systems, Long and other researchers were able to find unsecured Web interfaces that gave them control over a wide variety of devices, including printer networks, PBX (private branch exchange) enterprise phone systems, routers, Web cameras, and of course Web sites themselves. All can be uncovered using Google, Long said.

But the effectiveness of Google as a hacking tool does not end there. It can also be used as a kind of proxy service for hackers, Long said.

Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said.

Often, this kind of information comes in the form of apparently nonsensical information -- something that Long calls "Google Turds." For example, because there is no such thing as a Web site with the URL (Uniform Resource Locator) "nasa," a Google search for the query "site:nasa" should turn up zero results. instead, it turns up what appears to be a list of servers, offering an insight into the structure of Nasa's (the U.S. National Aeronautics and Space Administration's) internal network, Long said.

Combining well-structured Google queries with text processing tools can yield things like SQL (Structured Query Language) passwords and even SQL error information. This could then be used to structure what is known as a SQL injection attack, which can be used to run unauthorized commands on a SQL database. "This is where it becomes Google hacking," he said. "You can do a SQL injection, or you can do a Google query and find the same thing."

Although Google traditionally has not concerned itself with the security implications of its massive data store, the fact that it has been an unwitting participant in some worm attacks has the search engine now rejecting some queries for security reasons, Long said. "Recently, they've stepped into the game."

Source.

Login or register to post comments
Printer-friendly version
1338 reads
PDF version

More in Tux Machines

Critical Live Boot Bug Fixed and Ubuntu 18.04 is Finally Released

A critical bug in live boot session delayed Ubuntu 18.04 LTS release for several hours. The bug has been fixed and the ISO are available to download.

Nintendo Switch hack + Dolphin Emulator could bring GameCube and Wii game support

This week security researchers released details about a vulnerability affecting NVIDIA Tegra X1 processors that makes it possible to bypass secure boot and run unverified code on some devices… including every Nintendo Switch game console that’s shipped to date. Among other things, this opens the door for running modified versions of Nintendo’s firmware, or alternate operating systems such as a GNU/Linux distribution. And if you can run Linux… you can also run Linux applications. Now it looks like one of those applications could be the Dolphin emulator, which lets you play Nintendo GameCube and Wii games on a computer or other supported devices.

Openwashing Leftovers

We pick a storage CTO's brains on Linux-heads, big vendors – and should all the admins NVMe? [Ed: Cloudwashing and marketing in 'interview' form]

He became VP for engineering product strategy at Cavium-owned QLogic in 2014, moving on to be the CTO in late 2014, and then CTO for Ethernet and Fibre Channel Adapters in 2016, leaving for semi-retirement at the end of 2017.
How open source Ceph compares to commercial Ceph products [Ed: Well, “open source” and “commercial” are not opposites. He means proprietary, not commercial.]

Ceph software-defined storage is available for free, thanks to its open source nature. However, in some situations, a commercial Ceph product could be the way to go.
Audi puts open source big data foundations in place for car usage data [Ed: Audi calls surveillance "open source" or "big data". The kind of openwashing that insults FOSS.]
Microsoft’s C++ library manager now available for Linux and macOS [Ed: Proprietary trap for GNU/Linux from the company that blackmails GNU/Linux vendors and bribes officials/executives to not use GNU/Linux]
Percona Delivers First, Free, Open Source Method of Centralized Key Management for MySQL
Apple Open Sources FoundationDB, a Distributed Datastore

Linux Foundation: New Members, Cloud Foundry, and Embedded Linux Conference + OpenIoT Summit

41 Organizations Join The Linux Foundation to Support Open Source Communities With Infrastructure and Resources

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the addition of 28 Silver members and 13 Associate members. Linux Foundation members help support development of the shared technology resources, while accelerating their own innovation through open source leadership and participation. Linux Foundation member contributions help provide the infrastructure and resources that enable the world's largest open collaboration communities.
Cloud Foundry for Developers: Architecture

Back in the olden days, provisioning and managing IT stacks was complex, time-consuming, and error-prone. Getting the resources to do your job could take weeks or months. Infrastructure-as-a-Service (IaaS) was the first major step in automating IT stacks, and introduced the self-service provisioning and configuration model. VMware and Amazon were among the largest early developers and service providers. Platform-as-a-Service (PaaS) adds the layer to IaaS that provides application development and management. Cloud Foundry is for building Platform as a Service (PaaS) projects, which bundle servers, networks, storage, operating systems, middleware, databases, and development tools into scalable, centrally-managed hardware and software stacks. That is a lot of work to do manually, so it takes a lot of software to automate it.
Jonathan Corbet on Linux Kernel Contributions, Community, and Core Needs

At the recent Embedded Linux Conference + OpenIoT Summit, I sat down with Jonathan Corbet, the founder and editor-in-chief of LWN to discuss a wide range of topics, including the annual Linux kernel report. The annual Linux Kernel Development Report, released by The Linux Foundation is the evolution of work Corbet and Greg Kroah-Hartman had been doing independently for years. The goal of the report is to document various facets of kernel development, such as who is doing the work, what is the pace of the work, and which companies are supporting the work.

Latest News

Red Hat Enterprise Linux 6.10 Enters Beta with a Focus on Security and Stability

In an attempt to continue to deliver upon Red Hat’s 10-year lifecycle support, Red Hat Enterprise Linux 6.10 entered beta stages of development today with a focus on improving the security and stability of the operating system, as well as to add support for the latest hardware and software components, and support the next generation of cloud-native apps. "With a focus on stability and security features that maintain hardware, application, and management tooling compatibility, Red Hat Enterprise Linux 6.10 Beta is designed to support the next generation of cloud-native applications through an updated Red Hat Enterprise Linux 6 base image," said Red Hat in today's announcement. Also: Red Hat Enterprise Linux 6.10 Enters Beta

GNU/Linux on Chromebooks

Linux applications on Chrome OS will use Material Design [Ed: There was false news that Microsoft benefited from [1, 2]]
Linux Apps On Chromebooks Will Employ Material Design – Kind Of

Much like the dawn of Android apps on Chromebooks, the buzz around container-driven Linux apps is growing day by day. More features keep cropping up and it feels like we might be headed towards some sort of announcement at Google I/O in a couple weeks, even if we don’t hear it in the primary keynote.
Linux apps on Chrome OS – an overview of its biggest feature since Android apps

today's howtos

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Tux Machines is proud to be hosted by

Support Tux Machines

Help Support TM
Wall of Appreciation

Linux Gizmos

Linux Today

LinuxSecurity.com Advisories

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

Linux.com

DW Latest Releases

Phoronix

Content available under CC-BY-SA

Navigation

Language Selection

Search

Tux Machines Section/s

Authors Information

DistroWatch

LWN

LXer

OpenSource.com

Active forum topics