Security Experts:

"Search Diggity" Project Brings Informative and Creative Hacking Tools

Project leverages popular search engines to identify vulnerable systems and sensitive data in corporate networks.

Information is the key; hackers on both side of the law know this. Thus the tools recently released by security consulting firm Stach & Liu, and the DEF CON presentation given by Francis Brown and Rob Ragan, offer InfoSec teams a chance to win the information race.

During DEF CON, Francis Brown and Rob Ragan, both researchers for Stach & Liu, presented the Diggity Project’s inventions, including those that can be used to defend or attack, in a demo-based presentation. Last year during Black Hat, they presented a Google Hacking tool that earned them no small amount of props from the security community.

Google Hacking Project

The tool was used during their presentation to show how Google Hacking was used to expose a mistake made by Groupon's Indian subsidiary, Sosasta.com, as well as tracking the spread of the Liza Moon attack.

"Google has made it incredibly easy to find these types of vulnerabilities through their indexing and that has left many sites at risk. To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid apps and found the vulnerability before anyone else did,” Brown said in a statement at the time.

This year, the duo discussed nine tools, two of which stand out. The first, AlertDiggityDB, represents the largest repository of vulnerability data on the Web, presented in an easily searchable database. They also have NotInMyBackYard, a tool that will help users find information that has been deliberately or accidentally leaked on to the Web.

“This tool leverages both Google and Bing, and comes with pre-built queries that make it easy for users to find sensitive data leaks related to their organizations that exist on 3rd party sites, such as PasteBin, YouTube, and Twitter. Uncover data leaks in documents on popular cloud storage sites like Dropbox, Microsoft SkyDrive, and Google Docs. A must have for organizations that have sensitive data leaks on domains they don’t control or operate,” the two explained in an overview of their DEF CON talk.

Other tools that fall under the “Searcg Diggity” Project include:

CloudDiggity Data Mining Tool Suite – Allows security professionals to download information mined from the Internet and quickly search it for sensitive data that may be vulnerable, such as Social Security numbers, credit card numbers, and passwords.

CodeSearchDiggity-CloudEdition – Replaces a recently-discontinued tool previously offered by Google, enabling users to search through open source code. It enables security professionals to search for vulnerabilities in open source software code -- which is often re-purposed and used in other environments – to help prevent flaws from being passed around through code reuse.

Google Hacking

PortScanDiggity – Uses Google to search the Internet by domains, hostnames, and IP addresses, enabling security professionals to identify open network ports that may be vulnerable to attack. Security professionals can passively and instantaneously get results on exposed Web services that have been indexed by Google.

BingBinaryMalwareSearch (BBMS) – Uses a lesser-known feature of Bing to search for executable files that contain malware and identifies the source of the distributed files.

Diggity Dashboard – Analyzing more than 4 million entries in AlertDiggityDB, Diggity Dashboard enables security professionals to graphically view their own organizations’ data and potential vulnerabilities as they are mined from the database.

Diggity IDS, BingHacking Database (BHDB 2.0) – Updates to previous tools released by Brown and Ragan.

"With these tools, we’re giving security professionals an opportunity to identify and remediate security vulnerabilities and exposed data before an attacker can find and exploit them,” Ragan said.

The PowerPoint slides from Brown & Ragan's DEF CON presenation can be seen here in PDF format. The Google Hacking Diggity Project can be accessed here. In addition, the portal also has videos and other documentation available, in order to make the tools easier to use and understand. 

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.