Watching them, watching you
4 Aug 08
The power of Internet search engines can be used by intruders to hack into company data. Alan Woodward offers a warning and suggests solutions to the problem
by Alan Woodward
Technology, capable of being used for both good and bad purposes, is a neutral force, but it is now a whole lot easier to misuse one particular technology: Internet search engines.
Why? Because Internet hacking groups have been busily issuing instruction manuals on exactly how to use search engines for serious hacking.
In many cases, would-be hackers do not even need to know the technical details of what they are doing but can simply cut and paste search criteria into the search bar.
Internet search engines are among the most powerful technologies in the world. Their performance is close to miraculous. They scour the global web for the results we want and then present us with them, in about as much time as it takes a finger to click on a mouse. Best of all, the user interface to a search engine is simplicity itself.
As always with truly powerful technology, though, there is a potential downside. In the case of the search engines, which in practice for most of us nowadays means Google, the downside is that it can easily be used to unearth information about you that you do not want people to know.
Why? Primarily because Google is so powerful. What it and other search engines do is ensure that all information accessible via the Internet is conveniently indexed so that you know exactly where to look should you require it, rather like the card indexes
in libraries of old, except that Internet search engines are billions of times faster.
This means that anyone in the market for illicit corporate data (or who just feels mischievous, an emotion that the Internet tends to indulge) can take advantage of search engines’ power to find data to which the authors or originators never intended them to have access but which have inadvertently been left exposed.
Search engines such as Google are a lot better at searching for such data than is commonly realised. To some extent, that is the price one pays for the tremendous power of search engines.
Google, for example, has special tools, known as advanced operators, that search through the raft of data Google identifies from the Internet. They are query words that have special meaning when used with Google. To take one example, “link:” is an advanced operator, and the query “link:www.google.com” does not result in a normal search but should yield all web pages that have links to www.google.com
Several of the more common advanced operators use punctuation or special characters instead of words. Google itself freely gives details of these special operators on the page www.google.com/help/operators.html
For Google users conducting genuine searches, advanced operators can be tremendously helpful. They are just as freely available to hackers, who exploit the fact that many people, when designing their website (or getting others to design it) and then going live with it, believe they have locked their front door and are only going live with information they want to publicise. In fact they have left a window wide open alongside it and are inadvertently publicising information they want to keep secret. Worst of all, people operating or designing websites do not know they have done this until, very likely, it is too late.
Search engine providers know this is happening and want to combat it. Google, for example, will gently suggest you might like to use something called the ‘Google Hacks Honeypot’. This is intended to help organisations that fear they have been compromised, or have the potential to be.
“Honeypot” is a nickname for a set of dummy data that masquerades as valuable information but is isolated from the real main computer network and can track anyone attempting to access it. The honeypot appears to an intruder to be a bona fide business system offering easy access to sensitive data.
Honeypots can be used to track hackers who attempt to access websites using information that may have been inadvertently left exposed. Google even points users to this initiative for help on how to regain the security edge. Honeypots work by turning the tables on the attacker by capturing information such as the attacker’s network address.
Using honeypots may seem a little like bolting the stable door once the horse has fled. However, sometimes you can be in a position where you know that you have had an intruder but are not sure what they were looking at or who exactly they were. Honeypots are a way of having the intruders leave their sticky fingerprints on dummy data, allowing you to trace them and turn them over to the proper authorities.
To come down to specifics, what kind of information can hackers potentially find out using search engines? The answer to this will, inevitably, vary from one website to another, but typical of the honey whose gathering a honeypot is designed to prevent would be:
• the username and password of the administrator account that controls the whole system;
• personal information that could be used in identity theft;
• files containing commercially sensitive financial information about a company;
• details of customer credit cards; and
• perhaps worst of all, webcams broadcasting to the world when the owner thinks only he/she can view the broadcast.
The message is clear: be vigilant. The likelihood of this kind of attack is increasing all the time. Using vulnerability scanners is essential if you want the peace of mind that your computer system is protected against interference and unauthorised viewing. n
Alan Woodward is chief technology officer at the business and information technology consultancy Charteris. .