Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

It’s OK to Google Yourself

The Internet has made virtually any information accessible to someone who is determined to find it. This is great when you need to quickly look something up, but it can be decidedly uncomfortable when you are the target of the search. The Internet not only has tons of information, it also possesses a very long memory, meaning that any information that we expose can live on for a long time. As individuals, this is something that we almost take for granted.

The Internet has made virtually any information accessible to someone who is determined to find it. This is great when you need to quickly look something up, but it can be decidedly uncomfortable when you are the target of the search. The Internet not only has tons of information, it also possesses a very long memory, meaning that any information that we expose can live on for a long time. As individuals, this is something that we almost take for granted. We know that when we apply for a job, someone in HR is going to scour the Internet and mine social media to see what can be found out about us (I’m regularly thankful that I attended college before the age of smart-phones and omnipresent cameras).

SearchHowever, from a security practitioner’s point of view, this same sort of investigation can enable very sophisticated social engineering by an attacker targeting our end-users. It’s relatively trivial for an attacker to identify individuals inside of a target organization, and then proceed to find their interests, hobbies, and a variety of contact options that the attacker can use. This, of course, has led to lots of end-user training designed to teach employees to have a healthy degree of skepticism when on the Internet or in their email accounts and the dangers of over-sharing when online. This makes intuitive sense to most of us when it concerns exposing information about people. This is equally true of our networks, servers and technical infrastructure that define our presence on the Internet. Yet many organizations seem to be relatively oblivious to the technical information that is readily available to anyone willing to search.

When Searching Goes Grey Hat

Grey Hat HackingSearch engines have become one of the most powerful reconnaissance tools in an attacker’s arsenal. “Google-hacking” refers to the use of specialized Google search queries to find all sorts of information that could be useful to an attacker. Queries that look for specific patterns in a URL can reveal the type of web-server being used and give the attacker important leads when looking for vulnerabilities. File searches can uncover configuration files or system logs that can reveal all sorts of details about the internal workings of an organizations networks and applications. These sorts of things represent just the tip of the iceberg for someone with good Google-hacking skills.

However, the fun doesn’t end with Google. Increasingly, more specialized search engines and web-crawlers have been developed specifically with information security in mind. Enter Shodan.

Shodan is a specialized search engine that searches for devices as opposed to searches for webpages. It does this by automating the process of banner-grabbing, which will often reveal basic information about the server, including what kind of server it is, version of software it is running, and in some cases, the options that are supported. This information becomes incredibly powerful when it is aggregated for the Internet as a whole.

Take, for example, one of the most popular searches on Shodan. A search for “cisco-ios” and “last-modified” produces a massive list of IOS-based devices, but more importantly it shows a list of IOS devices that may not require authentication (a server that requires authentication will typically not include last-updated information in its banner). Similar searches have been done recently that were able to identify vulnerable SCADA and industrial control systems that were directly accessible to the Internet. You can read about this research in the ICS-CERT Monitor here. This sort of search obviously has incredible value to anyone involved in information security, whether one is a black hat, white hat or somewhere in between.

Bringing it Home

This sort of search capability is also incredibly valuable when protecting our own networks. For example, a Shodan search of hostname:ACME will find machines with ACME in the hostname or domain. This makes it very easy to search for our own organization to see exactly what Shodan can see (and therefore what any hacker could see). Similarly, a search that uses the net: filter can search for all devices on a certain IP range or subnet, again giving us the ability to see what information can be gleaned from our own devices.

Secondly, spending a little time on Shodan will put a fine point on just how much information can be leaked through banners, and why its valuable to take the time to hide some of that information. For example, another popular Shodan search is simply searching for the term “SCADA”. This search returns plenty of results, most of which only hit because the string SCADA is used as part of the hostname for the device. A search for the word ‘hospital’ or ‘clinic’ can quickly point someone to devices related to health care. This is a good reminder to be fastidious about naming and how we identify our Internet-facing devices.

This applies to virtually any industry.

What I’ve shared here is really just scratching the surface in terms of what is possible, whether via Google, Shodan or any number of other search engines. But it’s important to realize what sorts of tools are available, how these tools are potentially being used and that we know just how much we are exposing to the outside world. Developing our own search skills will not only expose us to lots of interesting information, but can also significantly improve our own security posture.

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.