Google Hacking Exposes Sensitive Material

By Andy Sullivan
WASHINGTON (Reuters) - Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.
It's called Google.

The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.

"If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences Corp. (CSC.N: Quote, Profile, Research) researcher and author of "Google Hacking for Penetration Testers."

Unlike other intrusion techniques, Google hacking doesn't require special software or an extensive knowledge of computer code.

At a recent hackers' conference in Washington, Long demonstrated the eye-opening results of dozens of well-crafted Google searches.

Using Google, identity thieves can easily find credit-card and bank-account numbers, tax returns, and other personal information buried in court documents, expense reports and school Web sites that contain such information.

Google hackers can download Department of Homeland Security threat assessments marked "For Official Use Only."

They can gain control of office printers, Internet phones and other devices controlled through a Web interface -- including electrical power systems.

"One Google query, a couple of buttons, you can actually turn off power to their house," Long said.

Corporate spies can uncover passwords and user names needed to log on to a corporate network, or find poorly configured computers that still use default passwords.

A search for error messages can provide important clues for intruders as well.

One particular Google feature allows users to pull up older versions of a Web page. Such "cached" pages can turn up security holes even after they've been fixed, or allow an intruder to scan a network without leaving a footprint.

It's impossible to tell how often malevolent hackers use Google. But the recent emergence of computer worms that spread using the search engine suggests that Google hacking has been common practice for years, Long said.

"As soon as something gets to the worm phase, it's been in the manual phase for quite some time," he said in an interview with Reuters.

Long said Google should not be blamed for the effectiveness of its search engine, though he said the company could raise the alarm when it notices suspicious activity.

"Google removes content from search results under very limited circumstances," Google spokesman Steve Langdon said in an e-mail message, citing pages that contain child pornography, credit-card numbers and other personal information, or copyrighted material that is used without permission.

As awareness of Google hacking grows, security experts are boning up on search techniques to make sure their systems aren't vulnerable.

Long's Web site (http://johnny.ihackstuff.com) has collected more than 1,000 Google searches that can uncover flaws, and free software programs by Foundstone Inc. (MFE.N: Quote, Profile, Research) and SensePost can run those searches automatically.

Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.

"The most practical thing I can tell people is to be fully aware of what their Google presence is. Companies and even individuals should be aware of what they look like through Google," he said.