It turns out Google is good for something other than finding phone numbers, driving directions and porn.
InfosecIslander Kevin McAleavey did a post today that serves as brief pointer on Using Google for Evil. His point was to explain not how LulzSec and similarly malicious script kids crack targets like Sony and the CIA, but how they and their ilk can find just the right kind of target by searching for sites exposing exactly the vulnerabilities for which they've already downloaded tools.
[Also see: Hackers gone mild: 6 rebels turned insiders]
Searching on filetype:sql hotmail gmail password, for example pulls up sql database setup data on a fascinating variety of sites, including a government-operated university in India and a singles dating site in Uganda.
Searching on inurl:"login.(asp|php) inurl:"id=1" pulls up login sites for, among other things, an Avatar (the movie) role-playing game, art auction site, a number of shipping sites and B2B exchange-payment site QuickPayPro.
None of the links got me any closer to getting in to any of those sites than I was beforehand, but my hacking skills don't even rise to the script-kid level.
McAleavey's point is not to mentor wannabe script kids by showing them how to search for the opponents they know are vulnerable to their limited charms. He lists himself as developer of a secure operating system called KNOS and anti-malware researcher, and sounds more exasperated by idiots than anything else. (Nearly everyone who's worked on the white-hat side of security for any length of time seems to develop the same tone, no matter whether they're at the script-kid or grizzled guru stage of life.)
His purpose is to point out how much useful information about SQL and PHP apps are exposed not on careful examination of a server, but right in the URL.
Sitemaps designed to increase traffic using Search Engine Optimization tools designed to fawn over Google spiders are even worse, he writes.
They "will truly map everything it can find and then wrap it all up into a nice little XML file that the webmaster uploads to the search engines."
SEO tools can index databases and scripts, not just content, then expose those to anyone who knows the right sequence to search for.
"Incredibly, a lot of not-so-experienced webmasters will run the SEO tool and never look at the final output before sending it!"
It's not exactly a secret that this much info is exposed.
This morning I posted a piece about an Australian security guy who found an unencrypted list of 300,000 customers of Groupon stored on the server of its Indian subsidiary SoSosta. He was searching for data for a site that checks to see if your email accounts have been compromised by searching Google for SQL database files that were accessible online and had keywords like "password" and "gmail."
If he can do it, so can whoever would like to get into your site.
McAleavey offers a few tips and pointers to more detailed warnings and configuration guides.
His biggest point is that Google is a huge danger. It's that webmasters who don't know what data are available on their sites are at fault for thinking "security" means locking the door and leaving all the windows open with a good solid ladder on the ground underneath.
Then he falls in the LulzSec trap of using silly boat-metaphor puns to make your point – an error that's regrettable, though unavoidable, and for which he makes up by using the word "poop" in an otherwise perfectly serious and informative post.
Nice touch, Kev.
" Bottom line: If you don't want pirates on your poopdeck, remember the golden rule. If it's ON your website, it's there for the pickings. Do NOT toss your company's wallet on the sidewalk and expect it to be there intact the following morning."