28 Dec 2017
Search Engines: Free and Powerful Hacking Tools That Affect Your Cyber Security
Crowbars, hammers, and screwdrivers are commonly available hardware tools that can be used constructively or to commit a variety of crimes. Likewise, there are readily available software and online tools that can be used either constructively or for nefarious purposes. Many of these are powerful, free to use or own, and are great conveniences for both expert and aspiring hackers who pose a threat to your cyber security.
In addition to these tools are online courses in ethical hacking that teach and sharpen one's hacking skills. Of course, these resources would be difficult to outlaw because they also enhance security when used by security professionals. One of the most useful and potentially threatening of these is search engines.
How Search Engines Pose a Risk to Businesses With Poor Security Controls
Too many small businesses give cyber security a low priority because they believe that they're too small to interest cyber criminals. The fact that their website is just one out of millions makes it seem they benefit from safety in numbers. However, criminals often focus on exploitable vulnerabilities regardless of business size, and search engines expose many of these millions of websites to the hacker's view.
Finding vulnerabilities is just a matter of using advanced search operators. Business websites with lax security are often the very ones that allow search engines such as Google to index dangerous information that can reveal their vulnerabilities to hackers.
Hackers not inclined to experiment with their own search queries can use archived queries publicly available at the Google Hacking Database (GHDB). It lists hundreds of vulnerable files that can be indexed by Google. The categories of listed files include:
- Files containing usernames
- Sensitive directories
- Vulnerable files
- Footholds
- Vulnerable servers
- Web server detection
- Files containing passwords
- Sensitive online shopping info
- Error messages
- Network or vulnerability data
- Pages containing login portals
- Advisories and vulnerabilities
- Various online devices
Why is this list open to the public? It's meant for use by vulnerability researchers and security testers. Cyber security innovation can't happen without open access to information. Unfortunately, this also facilitates cyber criminal activity.
Hackers can easily use software that sequentially places all of these queries into Google. Unfortunately, the victims of these hackers are often the businesses that value cyber security the least. For more insights, and answers to your security questions, contact us.