June 29, 2011, 4:10 PM — It turns out Google is good for something other than finding phone numbers, driving directions and porn.
InfosecIslander Kevin McAleavey did a post today that serves as brief pointer on Using Google for Evil. His point was to explain not how LulzSec and similarly malicious script kids crack targets like Sony and the CIA, but how they and their ilk can find just the right kind of target by searching for sites exposing exactly the vulnerabilities for which they've already downloaded tools.
[Also see: Hackers gone mild: 6 rebels turned insiders]
Searching on filetype:sql hotmail gmail password, for example pulls up sql database setup data on a fascinating variety of sites, including a government-operated university in India and a singles dating site in Uganda.
Searching on inurl:"login.(asp|php) inurl:"id=1" pulls up login sites for, among other things, an Avatar (the movie) role-playing game, art auction site, a number of shipping sites and B2B exchange-payment site QuickPayPro.
None of the links got me any closer to getting in to any of those sites than I was beforehand, but my hacking skills don't even rise to the script-kid level.
McAleavey's point is not to mentor wannabe script kids by showing them how to search for the opponents they know are vulnerable to their limited charms. He lists himself as developer of a secure operating system called KNOS and anti-malware researcher, and sounds more exasperated by idiots than anything else. (Nearly everyone who's worked on the white-hat side of security for any length of time seems to develop the same tone, no matter whether they're at the script-kid or grizzled guru stage of life.)
His purpose is to point out how much useful information about SQL and PHP apps are exposed not on careful examination of a server, but right in the URL.
Sitemaps designed to increase traffic using Search Engine Optimization tools designed to fawn over Google spiders are even worse, he writes.
They "will truly map everything it can find and then wrap it all up into a nice little XML file that the webmaster uploads to the search engines."
SEO tools can index databases and scripts, not just content, then expose those to anyone who knows the right sequence to search for.
"Incredibly, a lot of not-so-experienced webmasters will run the SEO tool and never look at the final output before sending it!"
It's not exactly a secret that this much info is exposed.
