“Google hacking”, using the power & reach of Google’s web index to access sensitive information and hack into networks, is becoming more pervasive, organized and powerful. This article features Johnny Long, whose web site seems to be the starting point for anyone looking to turn Google into a hacker’s tool. From the article:
The list of what Long and his fellow Google hackers have been able to dig up is impressive: passwords, credit card numbers and unsecured Web interfaces to things like PBXs, routers and Web sites.
Hackers also use Google for reconnaissance. One of the most basic techniques is to wait for a major security bulletin and then use Google to search for Web sites that are “powered by” the buggy software. Attackers can also map out computer networks using Google’s database, making it impossible for the networks’ administrators to block the snooper.
Often, this kind of information comes in the form of apparently nonsensical information, something that Long calls “Google turds.” For example, because there is no such thing as a Web site with the URL “nasa,” a Google search for the query “site:nasa” should turn up zero results. Instead, it turns up what appears to be a list of servers, offering an insight into the structure of NASA’s internal network, he says.
But some of the most interesting hacks occur when Google’s servers are tricked into doing work for the hackers, Long says. A recent trend has been to create Web pages with thousands of fake links that trick Google into doing hacker reconnaissance work. The technique works on Web sites that require URLs with embedded user names and passwords for access to some areas.