Sophos Cloud Optix
Exotically named hacking tools such as Low Orbit Ion Cannon and #RefRef have garnered plenty of headlines over the last few months but a new report suggests that the world’s favourite search engine might be an equally important weapon in the arsenal of cyber-criminals and hacktivists.
The report explains how a simple search on Google Code is all that’s needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.
Google’s Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.
Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.
With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code that is vulnerable to common website hacking tactics such as SQL injection.
While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.
According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.
So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?
The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.
Businesses should also prepare so that if they are successfully attacked after a data leak they don’t lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.
Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don’t accept responsibility for leaks.
For more on this take a look at the Stach & Lui’s Pulp Google Hacking presentation.
Sure, and libraries and Universities are allowing criminals to learn about how to commit crimes. This is another attempt to paint knowledge as too dangerous for the 'average' human, thereby requiring a class of 'elite' gatekeepers to determine what the rest of humanity can safely comprehend. Bollocks to that! Knowledge is our only path to freedom. Ignorance is not a prudent security strategy, online or anywhere else.
“online, evil Uncle Bulgarias” … really?
team sophos didn’t approve of anon taking down the pedos (despite the fact that ‘child porn’ is actually child RAPE) and have even gone so far as to refer to the hacktivists as “evil Uncles”, yet no attempt was made at giving any weight to the villainy of the child rapists by using descriptive references (or any other language tool at your educated disposal).
your repeated attempts (in various articles) to discredit the intentions of anon make me wonder whose pocket you’re in. or are you just an evil uncle of the far more nefarious kind and simply ired by access to your stash being jeopardized..?
careful that you don’t wag that dog of yours too long, lest the parakeets see the tail for what it is.
Kerckhoffs' doctrine: System security should not depend on the secrecy of the implementation or its components.