Unfortunately, it's now a whole lot easier to misuse one particular technology: internet search engines, muses Alan Woodward, CTO of Charteris.
Why? Because internet hacking groups have been busily issuing instruction manuals on exactly how to use search engines as a channel for serious hacking. In many cases would-be hackers don't even need to know the technical details of what they are doing but can simply cut and paste search criteria into the search bar.
Internet search engines, already so ubiquitous that we tend to take them for granted, are already among the most powerful technologies in the world. Their performance is close to miraculous. They scour the global web for the results we want and then present us with them, in about as much time as it takes a finger to click on a mouse. Search engines offer users a calibre of access to the internet that verges on the magical. Best of all, the user interface to a search engine is simplicity itself to use.
As always with truly powerful technology, though, there's a potential downside. In the case of the search engines, which in practice for most of us nowadays means Google, the downside is, unfortunately, that Google can easily be used to unearth information about you that you don't want people to know.
Why is this? Primarily because Google is so powerful. What Google (and other search engines) do is ensure that all information accessible via the internet is conveniently indexed so that you know exactly where to look should you require it, rather like the card indexes in libraries of old, except that internet search engines are billions of times faster. And card indexes meant you needed to trawl through huge numbers of cards to find the item one wanted, but even then you could only search what happened to be in that particular library.
Yet the power of internet search engines and modern computers now means that users anywhere in the world can search through an index of everything published on the internet, using a variety of criteria that match the material for which they are searching.
Sadly, this also means that anyone who is in the market for illicit corporate data (or who's just feeling mischievous, an emotion that the internet tends to indulge) can take advantage of search engines' power to find data to which the authors or originators of the data never intended them to have access but which have inadvertently been left exposed.
The unfortunate truth is that it's often very easy to use the internet to unearth data one has no business unearthing. It's true that, for example, just typing in 'show me all vulnerable data' doesn't (fortunately) bring up such information. However, search engines such as Google are a whole lot better at facilitating searches for such data than is commonly realised. Basically, that facilitation comes with the territory, and to some extent it's the price one pays for the tremendous power of search engines.
Google, for example, even has special tools, known as 'advanced operators', that search through the raft of data Google identifies from the internet. These advanced operators are query words that have special meaning when used with Google.
The operators enable a form of searching that most regular users would not dream was possible. To take just one example, 'link:' is an advanced operator, and the query [link:www.google.com] doesn't result in a normal search but instead should yield all web pages that have links to www.google.com.
Several of the more common advanced operators use punctuation or 'special characters' instead of words. Google itself freely gives details of these special operators on the page www.google.com/help/operators.html.
For Google users conducting genuine searches, advanced operators can be tremendously helpful resources. Unfortunately, they are also just as freely available to hackers, who exploit the fact that many people, when designing their website (or getting others to design it) and then going live with it, believe they've locked their front door (that is, are only going live with information they want to publicise) but in fact have left a window wide open alongside it and are inadvertently publicising information they want to keep secret. Worst of all, people operating or designing websites don’t know they have done this until, very likely, it's too late.
Not surprisingly, search engine providers know this is happening and want to combat it. Google, for example, will gently suggest you might like to use something called the 'Google Hacks Honeypot'. This is intended to help organisations who fear they have been compromised, or have the potential to be. It provides them with 'honeypots'.
This is a nickname for a set of dummy data that masquerades as valuable data but which is isolated from the real main computer network and which can track anyone attempting to access it. The honeypot appears to an intruder as if it were a bona fide business system offering easy access to sensitive data.
The great thing about honeypots is that they can be used to track hackers who attempt to access websites using information that may have been inadvertently left exposed. Google even points users to this initiative for help on how to regain the security edge. Honeypots work by turning the tables on the attacker by capturing information such as the attacker's network address.
Using honeypots may seem a little like bolting the stable door once the horse has fled. However, sometimes you can be in a position where you know that you have had an intruder but are not always sure what it is that they were looking at or who exactly they were. Honeypots are a way of having the intruders leave their sticky fingerprints on dummy data, allowing you to trace them and turn them over to the proper authorities.
To come right down to specifics, what kind of information can hackers potentially find out using search engines? The answer to this will, inevitably, vary from one website to another, but typical of the honey whose gathering a honeypot is designed to prevent would be:
- Username and password of the 'Administrator' account that controls the whole system,
- Personal information that could be used in identity theft,
- Files containing commercial sensitive financial information about a company,
- Details of customer credit cards,
- Perhaps worst of all, webcams broadcasting to the world when the owner thinks only he/she can view the broadcast.
The truth is that anything else that an organisation has published inadvertently (and, very possibly, without having realised that it has) may be at risk.
What can you do to combat these problems?
Fortunately, tools are now available that will analyse your internet presence to detect if you have left anything exposed that might be found by a search engine and could be located via one of these nefarious 'advanced searches'. These so called 'vulnerability scanners' have been around for a while but they tended to focus on known 'exploits' used by hackers to gain illicit access to your systems via the internet.
The whole black art of using the data collected by search engines to identify vulnerable sites has become known generically, and rather unfairly, as 'Google Hacking'. In the last few months well-known vendors of security testing software have added a facility for detecting Google Hacking to the features of their security software. A piece of security software with these kind of features is often known nowadays as a 'vulnerability scanner.'
There is an ever-increasing range of new ways which hackers find to exploit the power of Google to access information they shouldn't be accessing. Because of this, whatever vulnerability scanner you use must be regularly updated in just the same way that you need to keep virus checkers updated.
The checks you make or instruct your computer specialist to carry out on your behalf should include a vulnerability check against Google Hacking, and also incorporate defences against all known types of past and current hacking techniques that use internet search engines much as hostile extra-terrestrials use air-shafts.
Overall, the message is clear: be vigilant. The likelihood of this kind of attack is increasing all the time. Using vulnerability scanners is essential if you want the peace of mind that your computer system is protected against this kind of dangerous interference and unauthorised viewing.