Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

“Search Diggity” Project Brings Informative and Creative Hacking Tools

Project leverages popular search engines to identify vulnerable systems and sensitive data in corporate networks.

Information is the key; hackers on both side of the law know this. Thus the tools recently released by security consulting firm Stach & Liu, and the DEF CON presentation given by Francis Brown and Rob Ragan, offer InfoSec teams a chance to win the information race.

Project leverages popular search engines to identify vulnerable systems and sensitive data in corporate networks.

Information is the key; hackers on both side of the law know this. Thus the tools recently released by security consulting firm Stach & Liu, and the DEF CON presentation given by Francis Brown and Rob Ragan, offer InfoSec teams a chance to win the information race.

During DEF CON, Francis Brown and Rob Ragan, both researchers for Stach & Liu, presented the Diggity Project’s inventions, including those that can be used to defend or attack, in a demo-based presentation. Last year during Black Hat, they presented a Google Hacking tool that earned them no small amount of props from the security community.

Google Hacking Project

The tool was used during their presentation to show how Google Hacking was used to expose a mistake made by Groupon’s Indian subsidiary, Sosasta.com, as well as tracking the spread of the Liza Moon attack.

“Google has made it incredibly easy to find these types of vulnerabilities through their indexing and that has left many sites at risk. To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid apps and found the vulnerability before anyone else did,” Brown said in a statement at the time.

This year, the duo discussed nine tools, two of which stand out. The first, AlertDiggityDB, represents the largest repository of vulnerability data on the Web, presented in an easily searchable database. They also have NotInMyBackYard, a tool that will help users find information that has been deliberately or accidentally leaked on to the Web.

“This tool leverages both Google and Bing, and comes with pre-built queries that make it easy for users to find sensitive data leaks related to their organizations that exist on 3rd party sites, such as PasteBin, YouTube, and Twitter. Uncover data leaks in documents on popular cloud storage sites like Dropbox, Microsoft SkyDrive, and Google Docs. A must have for organizations that have sensitive data leaks on domains they don’t control or operate,” the two explained in an overview of their DEF CON talk.

Other tools that fall under the “Searcg Diggity” Project include:

Advertisement. Scroll to continue reading.

CloudDiggity Data Mining Tool Suite – Allows security professionals to download information mined from the Internet and quickly search it for sensitive data that may be vulnerable, such as Social Security numbers, credit card numbers, and passwords.

CodeSearchDiggity-CloudEdition – Replaces a recently-discontinued tool previously offered by Google, enabling users to search through open source code. It enables security professionals to search for vulnerabilities in open source software code — which is often re-purposed and used in other environments – to help prevent flaws from being passed around through code reuse.

Google Hacking

PortScanDiggity – Uses Google to search the Internet by domains, hostnames, and IP addresses, enabling security professionals to identify open network ports that may be vulnerable to attack. Security professionals can passively and instantaneously get results on exposed Web services that have been indexed by Google.

BingBinaryMalwareSearch (BBMS) – Uses a lesser-known feature of Bing to search for executable files that contain malware and identifies the source of the distributed files.

Diggity Dashboard – Analyzing more than 4 million entries in AlertDiggityDB, Diggity Dashboard enables security professionals to graphically view their own organizations’ data and potential vulnerabilities as they are mined from the database.

Diggity IDS, BingHacking Database (BHDB 2.0) – Updates to previous tools released by Brown and Ragan.

“With these tools, we’re giving security professionals an opportunity to identify and remediate security vulnerabilities and exposed data before an attacker can find and exploit them,” Ragan said.

The PowerPoint slides from Brown & Ragan’s DEF CON presenation can be seen here in PDF format. The Google Hacking Diggity Project can be accessed here. In addition, the portal also has videos and other documentation available, in order to make the tools easier to use and understand. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights