Google – A Friend or Foe

April 17, 2007

Recently I came across “Need
a Windows XP Key? Google can help!” on
Digg top stories. And boy was I amazed!

If you have been following the information
security world for a while, you know you could use the incredible powers of Google in both good and bad way. For example, a malicious user could
perform site mapping (site:http://www.accuvant.com accuvant), directory listing (intitle:index.of “parent
directory”), identify software vendor / version (intitle:index.of
server.at site:accuvant.com) and scan CGI’s (allinurl:/random_banner/index.cgi,
allinurl:/cgi -bin/userreg.cgi) using Google. Not only that, one could join an
online community like Google
Hacking Database and
learn how to find thousands of live pages
with usernames/passwords, error
messages, sensitive
directories and vulnerable
servers on Google.

Enter Google code search. One can now find hundreds of bad
code samples and live applications
vulnerable to Cross site scripting, SQL Injection and buffer overflow attacks.
On a personal level, Google can expose your name, address, phone numbers,
credit card numbers and social security information.

So what does all this mean to you and to
your organization? Well for starters, stop giving out personal information on
internet. No more guestbook entries with name address and phone numbers. Credit
card numbers should only be entered at trusted secure sites. Never give out SSN
on the internet. For organizations, Google scanning should be a part of their
application security program. Periodic Google searches should be conducted on
the company as a whole and for all applications handling sensitive data.
Automated tools like Wikto and SiteDigger would be useful.