The Latest Hacker Mayhem Tool: Google Dorking

Hackers are constantly looking for vulnerabilities they can exploit to gain access to corporate networks, industrial control systems, financial data, and more. One of the best kept secrets in the hacker’s toolkit has become Google Dorking. It can be used to identify vulnerable systems and trace them to a specific place on the Internet. This begs the questions: how does Google Dorking work, what risks are associated with it, and how can organizations minimize their exposure.

At last week’s Gartner Security and Risk Management Summit in National Harbor, MD, analysts Sid Deshpande and Ruggero Contu revealed that the global IT security spend will reach $92 billion in 2016 and is expected to grow to $116 billion by 2019. Despite these huge investments in perimeter defense, the industry is still struggling to get a leg up on cyber-attackers. The steady stream of data breaches at Hyatt, DNC, Twitter, SWIFT, and others continues to raise doubts about the effectiveness of these investments.

Obviously, most cyber-attackers don’t have the monetary resources to match the investments of enterprises and governments – nonetheless, they’re making very efficient use of the tools they have at hand. While commercial and public organizations often use the most advanced technologies available, hackers wreak havoc with an often minimalistic, but intelligence-driven approach.

In a cyber-attack that made headlines earlier this year, a suspected Iranian hacker used a simple technique called Google Dorking to access the computer system that controlled a water dam in New York. The technique is readily available and routinely used by hackers to identify vulnerabilities and sensitive information accessible on the Internet. Google Dorking, isn’t as simple as performing a traditional online search. It uses advanced operators in the Google search engine to locate specific information (e.g., version, file name) within search results. The basic syntax for using an advanced operator in Google is as follows:

Operator_name:keyword

Since its inception, the capabilities available in Google Dorking have been added to other search engines, such as Bing and Shodan. Meanwhile, anyone with a computer and Internet access can easily learn about advanced operators on Wikipedia or via other public sources. Even Federal authorities are paying attention to threats posed by Google Dorking. The Department of Homeland Security and the Federal Bureau of Investigation in 2014 issued a special security bulletin warning the commercial sector about the risks of Google Dorking.

So what can organizations do to minimize the risk of being hacked via Google Dorking? Here are three best practices:

1. Avoid Putting Sensitive Information on the Internet – The underlying threat associated with Google Dorking is that search engines are constantly scanning the Internet, monitoring, and indexing every device, port, and unique IP address connected to the Web. While most of this indexed data is meant for public consumption, some is not and is unintentionally made “reachable” by search engine bots. As a result, a misconfigured Intranet, or other confidential information resource, can easily lead to unintended information leakage.

2. Exclude Sensitive Websites / Pages from Search Index – Make sure that websites / pages that contain sensitive information cannot be indexed by search engines. For example, GoogleUSPER provides tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index. Another option is to use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of the web server.

3. Use Google Dorking for Web Vulnerability Testing –  Implement routine Web vulnerability testing as part of your standard security practices and turn Google Dorking into your own pro-active security tool using online repositories like the Google Hacking Database (GHDB), which documents the expanding number of search terms for files containing usernames, vulnerable servers, and even files containing passwords.

Google Dorking illustrates that it’s time to rethink day-to-day vulnerability assessment and risk management practices. Ultimately, what determines our ability to minimize cyber risk is not the tools we’re using, but rather how we use them. In other words, we need to find ways to automate time-consuming security operations tasks and use an intelligence-driven approach that allows to more easily assess whether vulnerabilities are actually exploitable and what risks they represent.

Related: Dam Hackers! The Rising Risks to ICS and SCADA Environments